Plugin Security Certification (PSC) by CleanTalk

A critical vulnerability has been identified in the Backup Migration plugin within the directory wordpress/wp-content/plugins/backup-backup/includes/htaccess/db_tables. This flaw not only discloses comprehensive information about the site, including its configuration, directories, and files, but, more critically, grants unauthorized access to sensitive data within the database, posing a significant security risk. Exploiting this vulnerability can lead to imminent threats, including potential brute force attacks on password hashes and the subsequent compromise of the entire system.

A critical vulnerability has been uncovered in the WP Staging plugin within the directory /wordpress/wp-content/uploads/wp-staging/cache. This vulnerability exposes comprehensive information about the site, including its configuration, directories, and files. More alarmingly, it allows unauthorized access to sensitive data within the

During testing, a CSRF vulnerability was discovered, which leads to clearing PHP logs in the plugin. The action=clear_log method is vulnerable. The plugin author needs to implement the wp_nonce check

In the security analysis of Duplicator, a critical vulnerability denoted as CVE-2023-6113 was identified. This issue revolves around the insecure use of Directory Listing, providing attackers with access to sensitive data and opening the door to Account Takeover.

During testing, a critical vulnerability was discovered in the plugin, namely a vulnerability in the Directory Listings system, which allows an unauthorized user to view and download private files of other users. This vulnerability poses a serious security threat because it allows an attacker to gain access to confidential data and files of other users without their permission.

During the testing of the plugin, an RCE (Remote Code Execution) vulnerability was identified, which allows the operating system to execute commands and fully compromise the server on behalf of a user with Author-level privileges. This vulnerability is considered highly critical and poses a significant threat. It stems from the fact that the action=upload_file mechanism checks for files with a .php extension but fails to detect files with .phar or .phtml extensions. This oversight opens the door for an attacker to upload and execute malicious files with .phar or .phtml

During a comprehensive assessment of the Quttera Web Malware Scanner plugin, a significant vulnerability was identified. This flaw allows unauthorized access to detailed scan logs, revealing sensitive information such as local paths and portions of code. The discovery was made through a systematic examination of the plugin’s functionalities.

During routine security testing of the Quttera Web Malware Scanner plugin, a critical vulnerability known as Path Traversal was identified. This flaw permits the unauthorized retrieval of files from locations outside the designated WordPress directory. The issue was discovered through a meticulous examination of the plugin’s functionalities.

During rigorous testing, a critical vulnerability, CVE-2023-5907, was unearthed in the File Manager plugin, version 6.3 and below. This vulnerability exposes a flaw in the plugin’s logic, allowing an unauthorized user to manipulate the root folder, thereby enabling Arbitrary OS File/Folder Access and Path Traversal.

In the process of rigorous testing, a critical vulnerability was unearthed in the Frontend File Manager Plugin, up to version affected, tagged with CVE-2023-5105. This vulnerability opens a path traversal avenue, allowing an attacker to download operating system files, including sensitive ones like wp-config.php. The severity lies in the potential compromise of the entire domain, especially alarming as this can be exploited by a user with Editor privileges.