Security

Plugin Security Certification (PSC-2025-64569): “Widgets for Google Reviews” – Version 12.8: Use Widgets with Enhanced Security

Widgets for Google Reviews is a powerful WordPress plugin designed to help businesses build trust and increase conversions by seamlessly displaying up to 10 Google reviews in stylish, responsive widgets. With over 40 widget layouts and 25 pre-designed styles, this plugin ensures your customer feedback is not only visible but also visually aligned with your brand.

Whether you’re a small local business or a growing e-commerce brand, this plugin makes it effortless to integrate user-generated reviews directly into your site, boosting both credibility and SEO performance. Beyond the attractive visuals and functionality, Widgets for Google Reviews has undergone extensive code-level security analysis and proudly holds the Plugin Security Certification (PSC-2025-64569) issued by CleanTalk, validating its commitment to secure development practices.

CVE-2024-12743 – MailPoet – Stored XSS to JS Backdoor Creation – POC

MailPoet is a popular WordPress plugin that enables users to easily create and send newsletters, manage subscribers, and automate email campaigns. With over 600,000 active installations, it has become a trusted tool for WordPress users looking to enhance their email marketing capabilities. However, a critical vulnerability, CVE-2024-12743, has been discovered in the plugin that allows attackers to exploit Stored Cross-Site Scripting (XSS), leading to a potential account takeover and backdoor creation. This vulnerability affects users with editor-level privileges and can be triggered through the plugin’s form-building interface.

Plugin Security Certification (PSC-2025-64568): “JetBackup” – Version 3.1.7.9: Use Backups with Enhanced Security

In the realm of WordPress site management, backup integrity and security are non-negotiable. Whether you’re running a small blog or a full-fledged eCommerce platform, one of the most crucial components of your WordPress infrastructure is a reliable and secure backup solution. That’s where JetBackup shines — a powerful, comprehensive plugin designed to perform backups, restorations, migrations, and cloning with simplicity, efficiency, and now — certified security.

As of version 3.1.7.9, JetBackup has officially passed the Plugin Security Certification (PSC-2025-64568) issued by CleanTalk, confirming that its codebase adheres to strict security and coding standards. This certification provides peace of mind for site owners and administrators, verifying that JetBackup doesn’t just offer robust functionality — it does so safely and responsibly.

Whether you’re downloading a local copy, uploading backups to the cloud, or performing emergency restorations, JetBackup ensures every operation is executed with integrity, transparency, and security at its core.

CVE-2025-4133 Blog2Social: Social Media Auto Post & Scheduler < 8.4.0 – Contributor+ Stored XSS

Blog2Social is a widely used WordPress plugin that enables automatic posting, cross-promoting, and scheduling of content across a variety of social networks. It’s particularly popular among content creators and marketing teams for its extensive integrations and automation features. However, in versions prior to 8.4.0, a critical Stored Cross-Site Scripting (XSS) vulnerability was discovered. This flaw allows users with the Contributor role to inject malicious scripts that get executed within the WordPress Dashboard, posing a significant security threat.

CVE-2024-13482- Icegram Engage – Stored XSS to JS Backdoor Creation – POC

Icegram Engage is a widely-used WordPress plugin that enables website owners to create and manage popups, opt-in forms, and other interactive features to enhance user engagement. With over 30,000 active installations, the plugin is trusted by many to boost conversions and improve user experience. However, a critical vulnerability—CVE-2024-13482—has been discovered in the plugin. This stored Cross-Site Scripting (XSS) vulnerability allows an attacker to inject malicious JavaScript code into the plugin settings, which can lead to account takeover and the creation of a backdoor in the WordPress site.

CVE-2025-1627- Qi Blocks < 1.4 – Contributor+ Stored XSS via ToC Block – POC

In April 2025, a stored Cross-Site Scripting (XSS) vulnerability was identified in the popular Qi Blocks WordPress plugin, specifically affecting versions below 1.4. This vulnerability, now tracked as CVE-2025-1627, allows a user with Contributor permissions to inject malicious scripts into the site using the Table of Contents (ToC) block. Once a malicious payload is stored, it gets executed every time a visitor loads the affected page — putting both site administrators and end users at risk.

CVE-2025-1625- Qi Blocks < 1.4 – Contributor+ Stored XSS via Counter Block – POC

Qi Blocks, developed by Qode Interactive, is one of the most comprehensive sets of Gutenberg blocks for WordPress, offering dozens of customizable components. Despite its acclaim for design and functionality, versions of the plugin prior to 1.4 are vulnerable to Stored Cross-Site Scripting (XSS), allowing users with Contributor privileges to inject malicious JavaScript code. This vulnerability poses a serious security threat, as the payload executes in both the admin panel and public pages.

CVE-2025-1626- Qi Blocks < 1.4 – Contributor+ Stored XSS via Countdown Block – POC

WordPress plugins expand the functionality of websites but can sometimes introduce security vulnerabilities if user inputs are not properly validated and sanitized. CVE-2025-1626 highlights a critical Stored Cross-Site Scripting (XSS) vulnerability discovered in the popular Qi Blocks plugin (versions prior to 1.4), which could be exploited by users with Contributor privileges. This flaw poses a serious risk to the security of WordPress sites using the plugin, as it could lead to session hijacking, privilege escalation, or complete site compromise.

Plugin Security Certification (PSC-2025-64567): “Simple Custom CSS and JS” – Version 3.50: Use CSS and JS with Enhanced Security

Simple Custom CSS and JS is a lightweight yet powerful WordPress plugin that empowers users to inject custom CSS and JavaScript into their websites without altering core theme or plugin files. This plugin is an essential tool for developers and site administrators who require flexibility in styling or scripting, while ensuring a clean and maintainable WordPress environment.

Thanks to its intuitive interface and code editor with syntax highlighting, Simple Custom CSS and JS makes code management straightforward and efficient. Furthermore, the plugin has undergone rigorous security testing and proudly carries the Plugin Security Certification (PSC-2025-64567) issued by CleanTalk, validating its compliance with modern secure coding standards.

Plugin Security Certification (PSC-2025-64566): “Joinchat” – Version 5.2.4: Use Chat with Enhanced Security

JoinChat is a powerful communication plugin designed to enhance user engagement by integrating WhatsApp and other chat platforms directly into your WordPress website. With its intuitive interface, JoinChat enables site owners to place a floating contact button that connects users to WhatsApp on mobile and desktop, delivering real-time, personalized support. JoinChat supports multiple customization options, analytics integration, WooCommerce compatibility, and dynamic content for each page or product.

Beyond functionality, JoinChat stands out with its emphasis on code quality and security. The plugin has successfully passed a full-scale security audit and has been awarded the Plugin Security Certification (PSC-2025-645656 by CleanTalk, assuring WordPress site owners of a safe and robust integration with modern messaging tools.