CVE-2025-8592 – Inspiro [THEME] – Unauth CSRF Leads to Arbitrary Plugin Upload and Remote Code Execution – POC

CVE-2025-8592 – Inspiro [THEME] – Unauth CSRF Leads to Arbitrary Plugin Upload and Remote Code Execution – POC

CVE-2025-8592 affects the popular Inspiro WordPress theme, which has amassed over 100,000 active installations. This vulnerability arises from an unauthenticated Cross-Site Request Forgery (CSRF) flaw in the theme’s AJAX handlers, specifically the inspiro_install_plugin action. By tricking an unsuspecting site administrator into visiting a malicious page, an attacker can silently install and activate plugins of their choosing from the official WordPress repository. If the forced plugin contains file-upload capabilities or known security weaknesses, the attacker can achieve full remote code execution (RCE) on the compromised site.

Plugin Security Certification (PSC-2025-64595): “Category Order and Taxonomy Terms Order” – Version 1.9: Use Category Order with Enhanced Security

Plugin Security Certification (PSC-2025-64595): “Category Order and Taxonomy Terms Order” – Version 1.9: Use Category Order with Enhanced Security

Category Order and Taxonomy Terms Order is a lightweight yet powerful WordPress plugin that enables administrators to reorder categories and custom taxonomy terms with a drag-and-drop interface. Developed by Nsp-Code, this plugin enhances site structure and usability without requiring theme or plugin modifications.
While primarily a tool for content organization, it also interacts directly with queries and the WordPress admin environment—areas where poorly implemented code could create vulnerabilities. That’s why CleanTalk’s Plugin Security Certification (PSC-2025-64595) is an important milestone: it validates that this plugin has been extensively audited and is safe to use in production environments.

Plugin Security Certification (PSC-2025-64594): “WP-PageNavi” – Version 2.94.5: Use Fancy Pagination Links with Enhanced Security

Plugin Security Certification (PSC-2025-64594): “WP-PageNavi” – Version 2.94.5: Use Fancy Pagination Links with Enhanced Security

WP-PageNavi is one of the most widely used plugins for adding advanced paging navigation to WordPress. Instead of the basic “Older posts | Newer posts” links, it provides a more user-friendly and customizable pagination interface that improves navigation across archives, blogs, and multipage posts. With a long-standing reputation for reliability, WP-PageNavi is trusted by thousands of site owners to enhance usability.
Now, with the Plugin Security Certification (PSC-2025-64594) by CleanTalk, WP-PageNavi has also been recognized for its secure coding practices and resistance to modern web-based threats. This certification gives WordPress administrators confidence that the plugin is not only functional but also fully aligned with today’s security standards.

CVE-2025-9202 – ColorMag [THEME] – Missing Authorization to Authenticated (Subscriber+) Plugin Installation – POC

CVE-2025-9202 – ColorMag [THEME] – Missing Authorization to Authenticated (Subscriber+) Plugin Installation – POC

ColorMag is a widely used WordPress theme known for its magazine-style layouts and robust customization options, currently active on over 50,000 sites. It offers a seamless “import demo content” feature that loads theme demo data and recommended plugins via an AJAX action named import_button. However, a serious security flaw—CVE-2025-9202—has been discovered: the theme exposes the required nonce to Subscriber+ users through wp_localize_script, yet fails to enforce any capability checks. As a result, low-privileged users can invoke the import routine and install arbitrary plugins without proper authorization.

CVE-2025-8085 – Ditty – Unauthenticated SSRF – POC

CVE-2025-8085 – Ditty – Unauthenticated SSRF – POC

Ditty is a popular WordPress plugin for creating dynamic content displays—tickers, charts, and news feeds—through a user-friendly block editor interface. With over 50,000 active installations, it’s widely used to embed real-time data and media into pages and posts. However, a critical vulnerability—CVE-2025-8085—has been identified in its REST API: an unauthenticated Server-Side Request Forgery (SSRF) flaw in the endpoint wp-json/dittyeditor/v1/displayItems. This allows any unauthenticated visitor to coerce the server into fetching arbitrary external or internal URLs, potentially exposing internal network resources or enabling further exploits like remote code execution or data exfiltration.

Plugin Security Certification (PSC-2025-64592): “Redux Framework” – Version 4.5.7: Use Redux with Enhanced Security

Plugin Security Certification (PSC-2025-64592): “Redux Framework” – Version 4.5.7: Use Redux with Enhanced Security

The Redux Framework has long been the go-to options framework for WordPress developers. It provides an extensible, fully responsive environment for building option panels, customizer controls, and advanced UI fields for themes and plugins. By saving developers months of work, Redux accelerates innovation while maintaining a clean, standards-based architecture.
With the release of version 4.5.7, Redux Framework has officially achieved the Plugin Security Certification (PSC-2025-64592) by CleanTalk, confirming its resilience against critical web application vulnerabilities. This certification ensures that developers can integrate Redux into their projects with full confidence in both functionality and security hardening.

Plugin Security Certification (PSC-2025-64591): “GDPR Cookie Compliance” – Version 5.0.6: Use GDPR Compliance with Enhanced Security

Plugin Security Certification (PSC-2025-64591): “GDPR Cookie Compliance” – Version 5.0.6: Use GDPR Compliance with Enhanced Security

Ensuring compliance with GDPR, CCPA, DSGVO, and other global privacy regulations is critical for every WordPress-powered website. The GDPR Cookie Compliance plugin (v5.0.6) provides an all-in-one solution for cookie consent management, offering flexibility, transparency, and full compliance with international data protection laws.
With its latest achievement, the plugin has been awarded the Plugin Security Certification (PSC-2025-64591) by CleanTalk, guaranteeing that its codebase is secure, hardened, and resilient against exploitation. This recognition reinforces the plugin’s position as one of the most trusted cookie compliance solutions for WordPress.

Plugin Security Certification (PSC-2025-64590): “UpdraftPlus” – Version 1.25.7: Use Backups with Enhanced Security

Plugin Security Certification (PSC-2025-64590): “UpdraftPlus” – Version 1.25.7: Use Backups with Enhanced Security

UpdraftPlus is the most trusted and widely used backup and migration plugin for WordPress, installed on more than 3 million websites worldwide. From simple scheduled backups to advanced migrations, it empowers site owners to protect and restore their WordPress environments with ease. With its extensive storage options—including Google Drive, Dropbox, Amazon S3, OneDrive, Azure, Backblaze, and more—UpdraftPlus provides unmatched flexibility.
Now, with its successful Plugin Security Certification (PSC-2025-64590) by CleanTalk, UpdraftPlus is officially recognized as not only the most feature-rich backup solution, but also as one of the most secure. This certification assures WordPress users that the plugin has undergone rigorous security audits to protect against a wide range of vulnerabilities.

Plugin Security Certification (PSC-2025-64588): “Superb Addons” – Version 3.6.2: Upgrade WordPress Editor with Enhanced Security

Plugin Security Certification (PSC-2025-64588): “Superb Addons” – Version 3.6.2: Upgrade WordPress Editor with Enhanced Security

The Superb Addons plugin has quickly become one of the most popular solutions for enhancing the WordPress Gutenberg editor and other popular page builders. With its 10+ custom blocks, 200+ patterns, 50+ pre-built pages, animations, and a robust Theme Designer, it empowers website owners to create professional, responsive, and SEO-friendly websites without writing a single line of code.
Now, with its successful completion of the Plugin Security Certification (PSC-2025-64588) by CleanTalk, Superb Addons not only delivers cutting-edge features but also guarantees code-level security and reliability. This certification proves that the plugin has been rigorously tested against the most common and dangerous vulnerabilities in the WordPress ecosystem.

CVE-2025-8891 – OceanWP [THEME] – Cross-Site Request Forgery to Ocean Extra Plugin Installation – POC

CVE-2025-8891 – OceanWP [THEME] – Cross-Site Request Forgery to Ocean Extra Plugin Installation – POC

OceanWP is a widely adopted WordPress theme, boasting over 50,000 active installations thanks to its performance-optimized code and extensive customization options. To further extend its capabilities, it relies on a companion plugin, Ocean Extra, which adds demo import, custom widgets, and additional theme settings. However, a critical vulnerability—CVE-2025-8891—has been discovered: an unauthenticated Cross-Site Request Forgery (CSRF) flaw that allows any visitor to invoke the oceanwp_notice_button_click AJAX action. This function, when called, automatically installs or activates the Ocean Extra plugin, effectively granting low-privileged users the ability to install new code on the site without any consent or proper authorization checks.