Plugin Security Certification (PSC-2025-64588): “Superb Addons” – Version 3.6.1: Upgrade WordPress Editor with Enhanced Security

Plugin Security Certification (PSC-2025-64588): “Superb Addons” – Version 3.6.1: Upgrade WordPress Editor with Enhanced Security

The Superb Addons plugin has quickly become one of the most popular solutions for enhancing the WordPress Gutenberg editor and other popular page builders. With its 10+ custom blocks, 200+ patterns, 50+ pre-built pages, animations, and a robust Theme Designer, it empowers website owners to create professional, responsive, and SEO-friendly websites without writing a single line of code.
Now, with its successful completion of the Plugin Security Certification (PSC-2025-64588) by CleanTalk, Superb Addons not only delivers cutting-edge features but also guarantees code-level security and reliability. This certification proves that the plugin has been rigorously tested against the most common and dangerous vulnerabilities in the WordPress ecosystem.

CVE-2025-8891 – OceanWP [THEME] – Cross-Site Request Forgery to Ocean Extra Plugin Installation – POC

CVE-2025-8891 – OceanWP [THEME] – Cross-Site Request Forgery to Ocean Extra Plugin Installation – POC

OceanWP is a widely adopted WordPress theme, boasting over 50,000 active installations thanks to its performance-optimized code and extensive customization options. To further extend its capabilities, it relies on a companion plugin, Ocean Extra, which adds demo import, custom widgets, and additional theme settings. However, a critical vulnerability—CVE-2025-8891—has been discovered: an unauthenticated Cross-Site Request Forgery (CSRF) flaw that allows any visitor to invoke the oceanwp_notice_button_click AJAX action. This function, when called, automatically installs or activates the Ocean Extra plugin, effectively granting low-privileged users the ability to install new code on the site without any consent or proper authorization checks.

CVE-2025-8595 – Zakra [THEME] – Missing Authorization to Subscriber+ Demo Import – POC

CVE-2025-8595 – Zakra [THEME] – Missing Authorization to Subscriber+ Demo Import – POC

The Zakra WordPress theme, installed on over 50,000 websites, provides a one-click demo import feature that streamlines site setup by loading predefined layouts, widgets, and content. However, a critical vulnerability—CVE-2025-8595—allows even low-privileged Subscriber+ users to invoke the demo import process via the import_button AJAX action. By exploiting a publicly exposed nonce, attackers can import arbitrary demo content, modify site configuration, or trigger long-running operations, thereby disrupting the site or preparing for further privilege escalations.

Plugin Security Certification (PSC-2025-64584): “Joinchat” – Version 6.0.6: Use Chat Integrations with Enhanced Security

Plugin Security Certification (PSC-2025-64584): “Joinchat” – Version 6.0.6: Use Chat Integrations with Enhanced Security

While its functionality is impressive, security remains a critical factor when embedding third-party scripts and handling visitor interactions. A vulnerable chat plugin could become a direct entry point for attackers—risking data leakage, phishing, and even complete site compromise. Recognizing this, Joinchat version 6.0.6 underwent an extensive Plugin Security Certification process by CleanTalk and has successfully earned PSC-2025-64584.

CVE-2025-6790 – Quiz And Survey Master (QSM) – Template Creation via CSRF – POC

CVE-2025-6790 – Quiz And Survey Master (QSM) – Template Creation via CSRF  – POC

Quiz And Survey Master (QSM) is a powerful WordPress plugin used to design and deploy quizzes, surveys, and assessments, with over 50,000 active installations. Despite its extensive use for educational and marketing purposes, a critical vulnerability—CVE-2025-6790—has been identified that permits unauthenticated attackers to perform Cross-Site Request Forgery (CSRF) against its AJAX endpoint for quiz template creation. This flaw allows an attacker to inject arbitrary templates into the system, potentially enabling further administrative actions or content hijacking without requiring any valid credentials.

Plugin Security Certification (PSC-2025-64582): “Everest Forms” – Version 3.4.0: Use Awesome Forms with Enhanced Security

Plugin Security Certification (PSC-2025-64582): “Everest Forms” – Version 3.4.0: Use Awesome Forms with Enhanced Security

Everest Forms has officially passed the Plugin Security Certification (PSC-2025-64582), issued by CleanTalk, following an exhaustive security audit. This validation affirms that Everest Forms is not only powerful in capability but also hardened against modern web threats, making it a safe solution for any WordPress website—personal, corporate, or eCommerce.

CVE-2025-8015 – Shortcodes Ultimate – Stored XSS (Author+) to Admin Account Creation – POC

CVE-2025-8015 – Shortcodes Ultimate – Stored XSS (Author+) to Admin Account Creation – POC

Shortcodes Ultimate is a ubiquitous WordPress plugin used by over 500,000 websites to effortlessly embed rich content—galleries, tabs, sliders—through simple shortcode syntax. While its drag-and-drop gallery builder and extensive shortcode library enhance user experience, a serious security flaw—CVE-2025-8015—has been discovered. This vulnerability permits an Author+ user to inject persistent JavaScript into gallery items (via image links or titles), which executes when administrators or other privileged users interact with the gallery. Ultimately, attackers can escalate privileges, create admin backdoors, and fully compromise the site.

CVE-2025-7369 – Shortcodes Ultimate – Unauthenticated Stored XSS via CSRF to Admin Account Creation – POC

CVE-2025-7369 – Shortcodes Ultimate – Unauthenticated Stored XSS via CSRF to Admin Account Creation – POC

The Shortcodes Ultimate plugin is a widely used WordPress toolkit, enabling site owners to add rich content elements—buttons, tabs, sliders—via simple shortcodes. With over 500,000 active installations, it is a go-to plugin for visual enhancements. However, a critical vulnerability, CVE-2025-7369, allows unauthenticated attackers to exploit a lack of CSRF protection on the plugin’s AJAX preview endpoint. By submitting a specially crafted form, an attacker can store malicious JavaScript in the database that executes in the administrator’s browser, opening the door to a full account-takeover backdoor.

Plugin Security Certification (PSC-2025-64581): “Performance Lab” – Version 3.9.0: Check Performance of your site with Enhanced Security

Plugin Security Certification (PSC-2025-64581): “Performance Lab” – Version 3.9.0: Check Performance of your site with Enhanced Security

As site speed and resource efficiency become vital factors in user experience and SEO, the Performance Lab plugin emerges as a strategic asset for WordPress site owners and developers. Built by the official WordPress Performance Team, this plugin acts as a modular testing ground for new performance-enhancing features that are expected to land in the WordPress core in the future.

Performance Lab has not only optimized web performance, but also achieved a significant security milestone by passing CleanTalk’s rigorous Plugin Security Certification process—PSC-2025-64581. This confirms the plugin’s readiness for production environments where performance and security must go hand in hand.

Plugin Security Certification (PSC-2025-64579): “Custom Post Type UI” – Version 1.18.0: Custom Post Types with Enhanced Security

Plugin Security Certification (PSC-2025-64579): “Custom Post Type UI” – Version 1.18.0: Custom Post Types with Enhanced Security

Custom content structures are a cornerstone of advanced WordPress development. The Custom Post Type UI plugin empowers administrators and developers by offering a robust and user-friendly interface for registering and managing custom post types and taxonomies—without writing a single line of code.

Custom Post Type UI has successfully passed a comprehensive security audit and earned the Plugin Security Certification (PSC-2025-64579) from CleanTalk. This milestone confirms that the plugin adheres to the highest standards of secure coding practices, allowing users to leverage custom content types with confidence and protection.

From streamlining content architecture to enabling flexible taxonomies, CPTUI enhances WordPress functionality without compromising security.