Ajax Load More is a popular WordPress plugin used for implementing infinite scroll, lazy loading, and dynamic content loading via AJAX. It allows developers to build flexible queries and display posts without reloading the page. During security testing, a Reflected
Forminator Forms – Contact Form, Payment Form & Custom Form Builder (v1.53.1) is a multifunctional WordPress plugin that enables the creation of forms, polls, quizzes, payment forms, and lead-generation tools through a drag-and-drop interface. It integrates with payment gateways, CRMs, and third-party services, making it a high-impact component in the application security surface.
Built for websites running on WordPress, Forminator handles sensitive user data, payments, file uploads, and AJAX interactions — making security a critical requirement.
The plugin functionality includes payments (Stripe, PayPal), quizzes, surveys, integrations, and GDPR-ready data handling
Bug reporting tool & Website feedback – Spotfix (v1.0.4) is a lightweight WordPress plugin that enables users to submit contextual feedback directly on website pages. By allowing visitors to highlight specific elements and attach comments (“Spots”), the plugin transforms feedback into structured, actionable tasks.
Designed for websites running on WordPress, Spotfix integrates frontend interaction with backend task management via external services, enabling teams to track and resolve issues efficiently.
Because the plugin processes user-generated content, interacts with external APIs, and injects frontend JavaScript widgets, a comprehensive security audit was conducted.
MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor (v4.1.3) is a powerful drag-and-drop form builder plugin designed to extend Elementor with advanced form creation capabilities. It allows users to build complex forms such as contact forms, surveys, booking forms, payment forms, and more without writing code.
Built for websites running on WordPress, MetForm integrates deeply into both frontend and backend workflows, handling user input, data storage, AJAX submissions, file uploads, and third-party integrations.
With over 600,000+ active installations, the plugin operates in a highly sensitive layer of application logic, making security a critical factor. A comprehensive source-code audit was conducted to evaluate its safety.
MainWP Child – Securely Connects to the MainWP Dashboard (v6.0.5) is a WordPress plugin designed to establish a secure connection between individual WordPress sites and a self-hosted MainWP Dashboard. This architecture allows centralized management of multiple websites, including updates, backups, monitoring, and content administration.
Built for websites running on WordPress, the plugin acts as a controlled communication bridge between managed sites and the MainWP Dashboard.
Due to its role in remote management and cross-site communication, MainWP Child operates in a highly sensitive security context. As a result, a comprehensive security audit of its codebase and communication mechanisms was conducted.
Spectra Gutenberg Blocks (v2.19.21) is an advanced extension for the WordPress block editor (Gutenberg), providing over 30 customizable blocks, layout tools, templates, and UI components for building modern websites without coding.
Designed for websites running on WordPress, Spectra enhances the native editor instead of replacing it, allowing users to build feature-rich pages while maintaining compatibility with WordPress core architecture.
With over 1+ million active installations, Spectra operates at a critical layer of content rendering and user interaction. Due to its complexity and broad functionality (including dynamic content, forms, popups, and frontend rendering), a comprehensive security audit was conducted.
SpeedyCache – Cache, Optimization, Performance (v1.3.7) is a WordPress performance plugin designed to improve website speed through caching, minification, compression, and resource optimization. By generating static cache files and optimizing frontend assets, the plugin reduces server load and accelerates page delivery.
Built for websites running on WordPress, SpeedyCache provides a comprehensive optimization toolkit while maintaining compatibility with shared hosting environments and CDN integrations.
Given its deep interaction with caching layers, file generation, HTTP headers, and resource processing, a detailed security audit was conducted.
WP Lightbox 2 is a WordPress plugin designed to add a responsive lightbox overlay effect to images displayed on a website. The plugin automatically enables lightbox functionality for images and galleries and provides several configuration options, including animation settings, overlay opacity, image information display, and additional descriptive text.
During security testing, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the plugin’s settings panel. The issue allows malicious JavaScript to be injected through the “Additional text below image info” configuration field. Because this value is stored and later rendered on pages where the lightbox is used, the injected script may execute in the browsers of site visitors or administrators.
Favicon by RealFaviconGenerator (v1.3.45) is a WordPress plugin that automates the generation and deployment of platform-compatible favicons for desktop browsers, iOS devices, Android devices, Windows tablets, and more.
Modern favicon implementation requires multiple image sizes, platform-specific declarations, and compliance with different UI standards. This plugin simplifies the process by integrating WordPress with the RealFaviconGenerator service, generating all required assets in seconds.
Built for websites running on WordPress, the plugin eliminates manual favicon configuration while ensuring compatibility across browsers and operating systems.
Because the plugin interacts with an external generation service, performs file operations, and modifies theme headers, a structured security audit was conducted.
All 404 Redirect to Homepage (v5.5) is a WordPress plugin designed to automatically redirect 404 error pages to a specified destination using 301 SEO redirects. Instead of allowing visitors to encounter broken links, the plugin routes them to the homepage or a custom URL defined by the administrator.
Built for websites running on WordPress, the plugin focuses on improving SEO performance and user experience by minimizing exposure to 404 errors and preserving link equity.
However, because redirection logic directly affects HTTP responses and routing behavior, secure implementation is critical. Improper redirect handling can introduce open redirect vulnerabilities, redirect loops, or SEO manipulation vectors. Therefore, this plugin underwent a structured security audit.