Plugin Security Certification (PSC-2025-64566): “Joinchat” – Version 5.2.4: Use Chat with Enhanced Security

Plugin Security Certification (PSC-2025-64566): “Joinchat” – Version 5.2.4: Use Chat with Enhanced Security

JoinChat is a powerful communication plugin designed to enhance user engagement by integrating WhatsApp and other chat platforms directly into your WordPress website. With its intuitive interface, JoinChat enables site owners to place a floating contact button that connects users to WhatsApp on mobile and desktop, delivering real-time, personalized support. JoinChat supports multiple customization options, analytics integration, WooCommerce compatibility, and dynamic content for each page or product.

Beyond functionality, JoinChat stands out with its emphasis on code quality and security. The plugin has successfully passed a full-scale security audit and has been awarded the Plugin Security Certification (PSC-2025-645656 by CleanTalk, assuring WordPress site owners of a safe and robust integration with modern messaging tools.

Plugin Security Certification (PSC-2024-64565): “WooCommerce Shipping & Tax” – Version 2.8.9: Use Shipping with Enhanced Security

Plugin Security Certification (PSC-2024-64565): “WooCommerce Shipping & Tax” – Version 2.8.9: Use Shipping with Enhanced Security

WooCommerce Shipping & Tax is a vital extension for any WooCommerce-powered store that simplifies two of the most complex parts of running an eCommerce business: shipping and taxes. This plugin offloads critical services such as label generation and tax calculation to Automattic’s robust and secure cloud infrastructure. By doing so, it minimizes dependency on your own hosting environment, ensuring faster response times and increased platform stability.

With the ability to instantly print USPS and DHL shipping labels and automatically calculate accurate tax rates at checkout, WooCommerce Shipping & Tax is designed to save store owners time, money, and resources. The plugin has successfully passed a comprehensive security review and has been awarded the Plugin Security Certification (PSC-2025-64565) by CleanTalk, confirming its reliability and code integrity.

Plugin Security Certification (PSC-2025-64563): “Autoptimize” – Version 6.0.1: Use Optimization with Enhanced Security

Plugin Security Certification (PSC-2025-64563): “Autoptimize” – Version 6.0.1: Use Optimization with Enhanced Security

Autoptimize 3.1.13 is a high-performance optimization plugin for WordPress designed to dramatically speed up your website. By aggregating, minifying, and caching JavaScript, CSS, and HTML code, the plugin ensures leaner and faster page loads. It also enhances performance by inlining critical CSS, deferring script execution, and supporting modern image formats like WebP and AVIF. Built with flexibility and extensibility in mind, Autoptimize provides a robust API, enabling developers to fine-tune optimizations based on specific site requirements. With Autoptimize Pro, users can access premium features such as image CDN, page caching, critical CSS automation, and more.

Autoptimize has undergone rigorous code review and security testing, achieving the Plugin Security Certification (PSC-2025-64563) from CleanTalk, ensuring peace of mind for site owners and developers who prioritize security.

CVE-2025-1524 – Ultimate Dashboard < 3.8.6 – Stored XSS to Admin Creation – POC

CVE-2025-1524 – Ultimate Dashboard < 3.8.6 – Stored XSS to Admin Creation – POC

The Ultimate Dashboard plugin is a popular tool for customizing the WordPress admin dashboard, used by site owners and developers to enhance the client experience with personalized widgets, custom admin pages, and visual tweaks. However, in versions prior to 3.8.6, the plugin was affected by a Stored Cross-Site Scripting (XSS) vulnerability that could lead to privilege escalation, including unauthorized admin account creation.

This vulnerability, tracked as CVE-2025-1524, represents a critical example of how seemingly innocuous customization features can become attack vectors when proper sanitization is not enforced.

Plugin Security Certification (PSC-2025-64562): “Redux Framework” – Version 4.5.7: Use Framework with Enhanced Security

Plugin Security Certification (PSC-2025-64562): “Redux Framework” – Version 4.5.7: Use Framework with Enhanced Security

Redux Framework is a robust and developer-centric options framework for WordPress, designed to streamline and simplify theme and plugin development. Instead of reinventing the wheel with each project, Redux provides a scalable, extensible foundation for building powerful admin panels using a single, well-documented configuration file. Supporting a wide array of field types, integrated Google Fonts, compiler hooks, and validation mechanisms, Redux is a complete toolkit built for innovation.

With full responsiveness and WordPress-native integration, Redux accelerates development without compromising code quality. It enables developers to build powerful options panels faster, while also maintaining structured, secure, and maintainable code. Redux has undergone extensive security auditing and proudly holds the Plugin Security Certification (PSC-2025-64562) from CleanTalk, ensuring a secure development experience.

CVE-2025-1523 – Ultimate Dashboard < 3.8.6 – Stored XSS to Admin Creation – POC

CVE-2025-1523 – Ultimate Dashboard < 3.8.6 – Stored XSS to Admin Creation – POC

The Ultimate Dashboard plugin is a popular tool for customizing the WordPress admin dashboard, used by site owners and developers to enhance the client experience with personalized widgets, custom admin pages, and visual tweaks. However, in versions prior to 3.8.6, the plugin was affected by a Stored Cross-Site Scripting (XSS) vulnerability that could lead to privilege escalation, including unauthorized admin account creation.

This vulnerability, tracked as CVE-2025-1523, represents a critical example of how seemingly innocuous customization features can become attack vectors when proper sanitization is not enforced.

CVE-2024-13207 – Widget for Social Page Feeds < 6.4.2 – Stored XSS to Backdoor Creation – POC

CVE-2024-13207 – Widget for Social Page Feeds < 6.4.2 – Stored XSS to Backdoor Creation – POC

In April 2024, a Stored Cross-Site Scripting (XSS) vulnerability was discovered in the popular WordPress plugin Widget for Social Page Feeds (formerly known as “Facebook Page Like Widget”). This plugin is installed on over 80,000 WordPress sites and is widely used to display Facebook page feeds in sidebars and other widget areas. The vulnerability, assigned CVE-2024-13207, affects all plugin versions below 6.4.2 and can allow attackers to inject malicious JavaScript, potentially leading to full site compromise.

CVE-2024-13610 – Simple Social Media Share Buttons < 6.0.0 – Stored XSS to Backdoor Creation – POC

CVE-2024-13610 – Simple Social Media Share Buttons < 6.0.0 – Stored XSS to Backdoor Creation – POC

In early 2024, a security flaw was identified in the popular WordPress plugin Simple Social Media Share Buttons, used on thousands of websites to enhance social media engagement. The vulnerability, now tracked as CVE-2024-13610, allows attackers to inject persistent JavaScript (Stored XSS) into the admin panel via the YouTube Channel ID field inside the widget settings. In the worst-case scenario, this could lead to the creation of backdoor admin accounts, full site compromise, or even malware distribution to site visitors.

CVE-2025-1762 – Event Tickets with Ticket Scanner <= 2.5.4 – Arbitrary Tickets Deletion via CSRF – POC

CVE-2025-1762 – Event Tickets with Ticket Scanner <= 2.5.4 – Arbitrary Tickets Deletion via CSRF – POC

Cross-Site Request Forgery (CSRF) is a type of web security vulnerability that allows an attacker to execute unauthorized actions on behalf of an authenticated user. In the case of the Event Tickets with Ticket Scanner plugin (version <= 2.5.4), a CSRF vulnerability has been discovered, allowing attackers to delete all tickets without proper authorization.

CVE-2024-13313 – AWeber < 7.3.21 – Stored XSS to Backdoor Creation – POC

CVE-2024-13313 – AWeber < 7.3.21 – Stored XSS to Backdoor Creation – POC

The Weber – Free Sign Up Form and Landing Page Builder plugin for WordPress is designed to facilitate email marketing, lead generation, and newsletter management. It allows users to create and embed sign-up forms, automate email campaigns, and integrate various marketing tools seamlessly. However, a critical security vulnerability, CVE-2024-13313, was identified in versions below 7.3.21, allowing Stored Cross-Site Scripting (XSS) attacks. This article explores the discovery, exploitation, and mitigation of this vulnerability.