Plugin Security Certification (PSC-2025-64586): “WP Downgrade” – Version 1.2.6: Use Automatic Update WP with Enhanced Security

Plugin Security Certification (PSC-2025-64586): “WP Downgrade” – Version 1.2.6: Use Automatic Update WP with Enhanced Security

WP Downgrade | Specific Core Version is a vital WordPress plugin that allows administrators to downgrade or update their WordPress Core to a specific release. Unlike the default WordPress update routine, which only installs the latest release, this plugin provides flexible control over Core updates, enabling users to remain on a previous secure version or selectively update to compatible releases.

This is particularly useful for sites relying on plugins or themes that are not yet compatible with the latest WordPress release. By forcing WordPress to recognize a chosen version as the latest, WP Downgrade simplifies updates while maintaining compatibility and stability.

With the new advanced option, users can manually adjust the download link, enabling tasks like language-specific core downloads or fetching releases from alternative sources—all without compromising security.

Plugin Security Certification (PSC-2025-64585): “Auto Image Attributes From Filename With Bulk Updater” – Version 4.7.1: Use Image SEO with Enhanced Security

Plugin Security Certification (PSC-2025-64585): “Auto Image Attributes From Filename With Bulk Updater” – Version 4.7.1: Use Image SEO with Enhanced Security

Auto Image Attributes From Filename With Bulk Updater (v4.6) is a powerful WordPress plugin designed to automate the generation of essential image attributes—Alt Text, Title, Caption, and Description—directly from image filenames. By restoring and enhancing features that WordPress deprecated in earlier versions, this plugin significantly boosts both SEO and website accessibility.

Properly defined image attributes not only improve Google, Yahoo, and Bing image search rankings, but also ensure compliance with accessibility standards by helping users with visual impairments understand the content of your images.

With its bulk updater, administrators can quickly optimize entire media libraries in a single click, saving valuable time while ensuring consistency across all images.

Plugin Security Certification (PSC-2025-64583): “String locator” – Version 2.6.7: Use Search locator with Enhanced Security

Plugin Security Certification (PSC-2025-64583): “String locator” – Version 2.6.7: Use Search locator with Enhanced Security

String Locator is a specialized WordPress plugin designed to help developers, administrators, and site managers quickly find and edit text strings within themes, plugins, and even WordPress core files. This tool eliminates the guesswork of locating hardcoded text by providing precise search results, including file paths, matching lines, and contextual previews.

The plugin also features in-browser editing, allowing you to make changes directly from the search results. Before saving, it runs a built-in consistency check that scans for unbalanced braces, brackets, and parentheses, reducing the risk of syntax errors and broken functionality. While not a substitute for full testing, this safeguard significantly minimizes common editing mistakes.

For maximum safety, it’s recommended to work on a staging site before deploying changes to production.

Plugin Security Certification (PSC-2025-64580): “AI Engine” – Version 3.2.7: Use AI with Enhanced Security

Plugin Security Certification (PSC-2025-64580): “AI Engine” – Version 3.2.7: Use AI with Enhanced Security

AI Engine is an advanced WordPress plugin designed to bridge the power of modern AI models (like GPT-4.1, Claude, Gemini, o4, and others) with the flexibility and usability of WordPress. Whether you’re aiming to build custom chatbots, generate content, translate articles, or automate content workflows, AI Engine provides a powerful and secure solution—all from within the WordPress dashboard.

With deep integrations, developer-ready APIs, and support for multiple AI providers, AI Engine allows website owners to build intelligent, interactive, and efficient websites that scale with their needs. Beyond just functionality, the plugin has undergone rigorous code-level inspection and has been certified with the Plugin Security Certification (PSC) from CleanTalk, confirming its secure development practices and strong protection measures.

CVE-2025-3414 – Structured Content <= 1.6.4 Contributor+ – Stored XSS to JS Backdoor Creation – POC

CVE-2025-3414 – Structured Content <= 1.6.4 Contributor+  – Stored XSS to JS Backdoor Creation – POC

The Structured Content plugin helps WordPress users enhance their pages with rich JSON-LD schema.org structured data elements. It allows for the insertion of components like FAQs, job postings, events, and more, with options to display the content as visible HTML or hidden machine-readable data.

However, in version 1.6.4 and below, a Stored Cross-Site Scripting (XSS) vulnerability was identified that allows users with Contributor privileges to inject malicious JavaScript via the “Additional CSS class(es)” field in FAQ blocks. This XSS payload is then persistently stored and can be executed when the HTML is rendered, leading to account compromise or further exploitation.

CVE-2025-6572 – OpenStreetMap – Stored XSS to JS Backdoor Creation – POC

CVE-2025-6572 – OpenStreetMap – Stored XSS to JS Backdoor Creation – POC

The OpenStreetMap for Gutenberg and WPBakery Page Builder plugin is designed to help WordPress users easily embed customizable and interactive maps into their posts and pages. However, in version 1.2.0 and below, a Stored Cross-Site Scripting (XSS) vulnerability exists, which allows Contributor-level users to inject persistent JavaScript code into map marker popup text. This can lead to account compromise, content injection, and potentially full site takeover.

Plugin Security Certification (PSC-2025-64577): “SiteGuard WP Plugin” – Version 8.1.4: Use Guard Plugin with Enhanced Security

Plugin Security Certification (PSC-2025-64577): “SiteGuard WP Plugin” – Version 8.1.4: Use Guard Plugin with Enhanced Security

SiteGuard WP Plugin is a dedicated WordPress security solution built to combat brute force login attacks and unauthorized access attempts. With its focus on login endpoint protection, SiteGuard enhances the default WordPress security posture by introducing multiple defensive layers—ranging from login page obfuscation to IP-based access filtering. Unlike general-purpose security suites, SiteGuard zeroes in on the most commonly abused attack vectors, providing lightweight and robust protection with minimal configuration.

Developed by JP-Secure, the plugin includes advanced features like CAPTCHA integration, login rate limiting, email alerts, and author enumeration blocking. These tools are engineered to resist automated login bots, password spraying attacks, and information disclosure exploits. Owing to its focused architecture and strict development standards, SiteGuard WP Plugin 1.7.8 has been independently audited and certified by CleanTalk, receiving the Plugin Security Certification (PSC) with ID PSC-2025-64577.

Plugin Security Certification (PSC-2025-64576): “EWWW Image Optimizer” – Version 8.3.0: Use Optimizer Plugin with Enhanced Security

Plugin Security Certification (PSC-2025-64576): “EWWW Image Optimizer” – Version 8.3.0: Use Optimizer Plugin with Enhanced Security

EWWW Image Optimizer (EWWW IO) is a high-performance WordPress plugin designed to enhance site speed and SEO by automatically optimizing image files across your entire website. Whether you’re dealing with the WordPress Media Library, theme assets, or third-party plugin images, EWWW IO ensures that every image is compressed efficiently without compromising quality. The plugin supports a wide range of formats, including JPG, PNG, WebP, SVG, PDF, and the next-gen AVIF, with adaptive and intelligent conversion to deliver optimal file types for every use case.

EWWW IO can perform all optimizations locally on your server using powerful image processing tools or offload them to specialized servers via Easy IO CDN. With features such as lazy loading, bulk optimization, WebP/AVIF conversion, and comprehensive plugin compatibility, it serves as a complete image performance suite. EWWW IO is not only built for speed but also engineered with strong security practices, having earned the Plugin Security Certification (PSC) from CleanTalk.

Plugin Security Certification (PSC-2024-64575): “Table of Contents Plus” – Version 2411.1: Use Content Plugin with Enhanced Security

Plugin Security Certification (PSC-2024-64575): “Table of Contents Plus” – Version 2411.1: Use Content Plugin with Enhanced Security

Table of Contents Plus is a powerful and user-friendly WordPress plugin designed to automatically generate structured, context-specific tables of contents (TOC) for long-form content and custom post types. Inspired by Wikipedia’s navigation standards, the plugin enhances readability and SEO by providing a logical content structure for users and search engines alike. Beyond a traditional TOC, it also offers built-in support for generating sitemaps of pages, categories, and posts across the site. With seamless shortcode functionality, advanced customization options, and robust theme compatibility, Table of Contents Plus is ideal for content-heavy websites and blogs seeking to improve user experience and page navigation.

After undergoing rigorous security testing and static code analysis, the plugin has successfully obtained the Plugin Security Certification (PSC) from CleanTalk, ensuring its compliance with high-level security standards and safe deployment on any WordPress installation.

CVE-2025-5730 – Easy Contact Form Lite < 1.1.29 – Contributor+ Stored XSS

CVE-2025-5730 – Easy Contact Form Lite < 1.1.29 – Contributor+ Stored XSS

Cross-Site Scripting (XSS) remains one of the most prevalent and dangerous vulnerabilities affecting WordPress plugins, especially those that allow user-generated content. In the Easy Contact Form Lite plugin (versions prior to 1.1.29), a stored XSS vulnerability was discovered that allows Contributor-level users to inject persistent JavaScript into the form’s placeholder field. This can lead to session hijacking, site defacement, and privilege escalation attacks if exploited by a malicious user.