Plugin Security Certification (PSC-2025-64589): “WP Log Manager” – Version 5.4.2: Use Logs with Enhanced Security

Plugin Security Certification (PSC-2025-64589): “WP Log Manager” – Version 5.4.2: Use Logs with Enhanced Security

WP Activity Log is a powerful WordPress plugin designed to provide detailed, real-time logging of all activities across your WordPress sites and multisite networks. From user login attempts to changes in posts, plugins, themes, and settings, this plugin gives administrators full visibility into everything that happens on their websites.

With its granular event tracking, WP Activity Log helps site owners improve security, accountability, compliance, and troubleshooting. Administrators can detect suspicious activity before it escalates, meet compliance standards such as GDPR and PCI DSS, and streamline user management with accurate records of who did what, when, and from where.

By ensuring every action is logged, WP Activity Log provides a transparent and secure environment, making it a vital tool for businesses, agencies, and security professionals managing WordPress-powered sites.

Plugin Security Certification (PSC-2025-64588): “Superb Addons” – Version 3.6.2: Upgrade WordPress Editor with Enhanced Security

Plugin Security Certification (PSC-2025-64588): “Superb Addons” – Version 3.6.2: Upgrade WordPress Editor with Enhanced Security

The Superb Addons plugin has quickly become one of the most popular solutions for enhancing the WordPress Gutenberg editor and other popular page builders. With its 10+ custom blocks, 200+ patterns, 50+ pre-built pages, animations, and a robust Theme Designer, it empowers website owners to create professional, responsive, and SEO-friendly websites without writing a single line of code.
Now, with its successful completion of the Plugin Security Certification (PSC-2025-64588) by CleanTalk, Superb Addons not only delivers cutting-edge features but also guarantees code-level security and reliability. This certification proves that the plugin has been rigorously tested against the most common and dangerous vulnerabilities in the WordPress ecosystem.

Plugin Security Certification (PSC-2025-64587): “PHP Compatibility Cheker” – Version 1.6.3: Use Automatic Update WP with Enhanced Security

Plugin Security Certification (PSC-2025-64587): “PHP Compatibility Cheker” – Version 1.6.3: Use Automatic Update WP with Enhanced Security

PHP Compatibility Checker is a WordPress plugin developed by WP Engine that helps site administrators and developers analyze their WordPress themes and plugins for compatibility with modern PHP versions.

As WordPress continues to evolve, maintaining compatibility with supported PHP versions is a crucial factor for both performance and security. Outdated PHP releases no longer receive security updates, leaving websites at risk of vulnerabilities. This plugin empowers users to safely transition to newer PHP versions (up to PHP 8.0) by identifying errors and warnings in their installed codebase.

The tool uses linting technology combined with Tide’s scanning infrastructure to analyze plugin and theme files. It generates detailed reports with file names, line numbers, and descriptions of incompatibilities. Additionally, it recommends plugin or theme updates if newer versions include PHP compatibility fixes.

CVE-2025-9111 – WPBOT – Stored XSS – POC

CVE-2025-9111 – WPBOT – Stored XSS – POC

WPBot is a WordPress plugin that provides an AI-powered chatbot for websites, enabling live chat support, lead generation, and data collection. It integrates with OpenAI, ChatGPT, and other LLM services, while also offering built-in automated support without external AI dependencies.

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in WPBot Lite that allows users to inject malicious scripts via the FAQ Builder, affecting users with sufficient access (such as contributors or admins reviewing FAQs). This vulnerability can lead to account compromise, data exfiltration, and site takeover.

Plugin Security Certification (PSC-2025-64586): “WP Downgrade” – Version 1.2.6: Use Automatic Update WP with Enhanced Security

Plugin Security Certification (PSC-2025-64586): “WP Downgrade” – Version 1.2.6: Use Automatic Update WP with Enhanced Security

WP Downgrade | Specific Core Version is a vital WordPress plugin that allows administrators to downgrade or update their WordPress Core to a specific release. Unlike the default WordPress update routine, which only installs the latest release, this plugin provides flexible control over Core updates, enabling users to remain on a previous secure version or selectively update to compatible releases.

This is particularly useful for sites relying on plugins or themes that are not yet compatible with the latest WordPress release. By forcing WordPress to recognize a chosen version as the latest, WP Downgrade simplifies updates while maintaining compatibility and stability.

With the new advanced option, users can manually adjust the download link, enabling tasks like language-specific core downloads or fetching releases from alternative sources—all without compromising security.

CVE-2025-8891 – OceanWP [THEME] – Cross-Site Request Forgery to Ocean Extra Plugin Installation – POC

CVE-2025-8891 – OceanWP [THEME] – Cross-Site Request Forgery to Ocean Extra Plugin Installation – POC

OceanWP is a widely adopted WordPress theme, boasting over 50,000 active installations thanks to its performance-optimized code and extensive customization options. To further extend its capabilities, it relies on a companion plugin, Ocean Extra, which adds demo import, custom widgets, and additional theme settings. However, a critical vulnerability—CVE-2025-8891—has been discovered: an unauthenticated Cross-Site Request Forgery (CSRF) flaw that allows any visitor to invoke the oceanwp_notice_button_click AJAX action. This function, when called, automatically installs or activates the Ocean Extra plugin, effectively granting low-privileged users the ability to install new code on the site without any consent or proper authorization checks.

Plugin Security Certification (PSC-2025-64585): “Auto Image Attributes From Filename With Bulk Updater” – Version 6.0.6: Use Image SEO with Enhanced Security

Plugin Security Certification (PSC-2025-64585): “Auto Image Attributes From Filename With Bulk Updater” – Version 6.0.6: Use Image SEO with Enhanced Security

Auto Image Attributes From Filename With Bulk Updater (v4.4) is a powerful WordPress plugin designed to automate the generation of essential image attributes—Alt Text, Title, Caption, and Description—directly from image filenames. By restoring and enhancing features that WordPress deprecated in earlier versions, this plugin significantly boosts both SEO and website accessibility.

Properly defined image attributes not only improve Google, Yahoo, and Bing image search rankings, but also ensure compliance with accessibility standards by helping users with visual impairments understand the content of your images.

With its bulk updater, administrators can quickly optimize entire media libraries in a single click, saving valuable time while ensuring consistency across all images.

CVE-2025-8595 – Zakra [THEME] – Missing Authorization to Subscriber+ Demo Import – POC

CVE-2025-8595 – Zakra [THEME] – Missing Authorization to Subscriber+ Demo Import – POC

The Zakra WordPress theme, installed on over 50,000 websites, provides a one-click demo import feature that streamlines site setup by loading predefined layouts, widgets, and content. However, a critical vulnerability—CVE-2025-8595—allows even low-privileged Subscriber+ users to invoke the demo import process via the import_button AJAX action. By exploiting a publicly exposed nonce, attackers can import arbitrary demo content, modify site configuration, or trigger long-running operations, thereby disrupting the site or preparing for further privilege escalations.

Plugin Security Certification (PSC-2025-64584): “Joinchat” – Version 6.0.6: Use Chat Integrations with Enhanced Security

Plugin Security Certification (PSC-2025-64584): “Joinchat” – Version 6.0.6: Use Chat Integrations with Enhanced Security

While its functionality is impressive, security remains a critical factor when embedding third-party scripts and handling visitor interactions. A vulnerable chat plugin could become a direct entry point for attackers—risking data leakage, phishing, and even complete site compromise. Recognizing this, Joinchat version 6.0.6 underwent an extensive Plugin Security Certification process by CleanTalk and has successfully earned PSC-2025-64584.

Plugin Security Certification (PSC-2025-64583): “String locator” – Version 2.6.7: Use Search locator with Enhanced Security

Plugin Security Certification (PSC-2025-64583): “String locator” – Version 2.6.7: Use Search locator with Enhanced Security

String Locator is a specialized WordPress plugin designed to help developers, administrators, and site managers quickly find and edit text strings within themes, plugins, and even WordPress core files. This tool eliminates the guesswork of locating hardcoded text by providing precise search results, including file paths, matching lines, and contextual previews.

The plugin also features in-browser editing, allowing you to make changes directly from the search results. Before saving, it runs a built-in consistency check that scans for unbalanced braces, brackets, and parentheses, reducing the risk of syntax errors and broken functionality. While not a substitute for full testing, this safeguard significantly minimizes common editing mistakes.

For maximum safety, it’s recommended to work on a staging site before deploying changes to production.