Plugin Security Certification (PSC) by CleanTalk

In the process of scrutinizing the Fatal Error Notify plugin for WordPress, a Cross-Site Request Forgery (CSRF) vulnerability was unearthed. This flaw permits an unauthorized user to manipulate requests on behalf of the victim, enabling the attacker to send erroneous error messages via email. The exploit can involve sending a large volume of HTML-coded messages to the victim’s email, potentially causing disruption and spamming issues. Furthermore, the repeated suspicious activity might lead to the blocking of the WordPress site’s email.

During testing of the plugin, a vulnerability was discovered that allows the user, starting from the “Subscriber” (lower privs) privileges, to access AJAX requests that can output the following data: password and login from the database -which is very critical, password and login from the mailbox, phpinfo() and all the information that the plugin can output about the web application

A critical security vulnerability has been identified in the Debug Log Manager plugin, marked by a missing authorization check during the handling of the action=clear_log method. This lapse in validation opens the door to Cross-Site Request Forgery (CSRF) attacks, providing unauthorized actors with the ability to clear PHP logs in the affected plugin.

A critical vulnerability has been unearthed within the FastDup – Fastest WordPress Migration & Duplicator plugin, residing in the directory wordpress/wp-content/njt-fastdup/packages. This vulnerability exposes a plethora of information about the WordPress site, encompassing its configuration details, directories, and files. More alarmingly, it allows unauthorized access to sensitive data housed within the database, including user passwords. The severity of this flaw is exemplified by the imminent threat it poses, creating a gateway for potential brute force attacks on password hashes and, consequently, the entire compromise of the system.

In the process of testing the plugin, a CSRF vulnerability was found in action=rpws_user_update_password, which allows you to change the password to any user and in some saluchayah to seize the administrator account

In a recent examination of the WP-STAGING plugin, a highly critical vulnerability was uncovered, posing an existential threat to the security of WordPress installations. This flaw resides in the directory /wordpress/wp-content/uploads/wp-staging/ and exposes not only intricate details about the site’s

During a comprehensive assessment of the WP User Profile Avatar plugin, a significant vulnerability was identified, namely Insecure Direct Object Reference (IDOR). This flaw allows unauthorized users to delete or alter someone else’s avatar without the necessary privileges.

During the evaluation of the TJ Shortcodes plugin, a critical vulnerability was identified that permits the execution of Stored Cross-Site Scripting (XSS) attacks. This flaw enables an attacker to inject malicious scripts through a shortcode, posing a risk of account takeover.

During the testing of the JSM file_get_contents() Shortcode plugin, a significant SSRF (Server-Side Request Forgery) vulnerability was identified. This flaw allows exploitation through a shortcode, potentially leading to unauthorized access to internal resources.

A critical vulnerability has been identified in the Clone plugin during testing, specifically within the directory /wordpress/wp-content/uploads/wp-clone/wpclone_backup. This flaw exposes comprehensive information about the site, encompassing its configuration, directories, and files. Most crucially, it grants unauthorized access to sensitive data within the database and all associated content. Exploiting this vulnerability introduces an imminent threat, potentially leading to brute force attacks on password hashes and, consequently, the compromise of the entire system.