cleantalk

Vulnerabilities and Security Researches

Recent vulnerability researches

CVE/PSC Application Date Affected versions Description
Actual on: Jul 05, 2026, 10:07:03

CVE-2026-57751

Heateor Social Login WordPress

vulnerable

Jul 05, 2026, 12:07:41
Min -
Max 1.1.39
Unauthenticated Cross Site Request Forgery (CSRF) in Heateor Social Login <= 1.1.39 versions.

CVE-2026-57765

Shopping Cart &amp; eCommerce Store

vulnerable

Jul 05, 2026, 12:07:01
Min -
Max 5.9.0
Contributor SQL Injection in WP EasyCart <= 5.9.0 versions.

CVE-2026-57756

nicen-localize-image

vulnerable

Jul 05, 2026, 11:07:57
Min -
Max 1.4.9
Contributor SQL Injection in nicen-localize-image <= 1.4.9 versions.

CVE-2026-57752

iNET Webkit

vulnerable

Jul 05, 2026, 07:07:55
Min -
Max 1.2.4
Contributor SQL Injection in iNET Webkit 1.2.4 versions.

CVE-2026-57674

Timetics- AI-powered Appointment Booking with Visual Seat Plan and ultimate Calendar Scheduling

vulnerable

Jul 04, 2026, 22:07:15
Min -
Max 1.0.59
Unauthenticated Cross Site Scripting (XSS) in Timetics <= 1.0.58 versions.

CVE-2026-9626

JSON API User

vulnerable

Jul 04, 2026, 22:07:02
Min -
Max 4.1.2
The JSON API User plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'content' parameter of the post_comment API endpoint in versions up to, and including, 4.1.0 This is due to insufficient input sanitization in the post_comment() function, which passes the attacker-controlled comment_content value directly to wp_insert_comment() without applying any HTML sanitization, and additionally allows the caller to set comment_approved=1 to self-approve the comment and bypass moderation. This ...

CVE-2026-57673

Image Optimization by Optimole &#8211; Lazy Load, CDN, Convert WebP &amp; AVIF

vulnerable

Jul 04, 2026, 21:07:10
Min -
Max 4.2.7
Unauthenticated Cross Site Scripting (XSS) in Optimole <= 4.2.7 versions.

CVE-2026-57348

Paid Membership Subscriptions &#8211; Effortless Memberships, Recurring Payments &amp; Content Restriction

vulnerable

Jul 04, 2026, 21:07:06
Min -
Max 3.0.5
Unauthenticated Server Side Request Forgery (SSRF) in Paid Member Subscriptions <= 3.0.4 versions.

CVE-2026-11778

CURCY &#8211; Multi Currency for WooCommerce &#8211; The best free currency exchange plugin &#8211; Run smoothly on WooCommerce

vulnerable

Jul 04, 2026, 19:07:30
Min -
Max 2.2.15
The The CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.2.14. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

CVE-2026-11397

WP Import Export Lite

vulnerable

Jul 04, 2026, 19:07:20
Min -
Max 3.9.31
The WP Import Export Lite plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to and including 3.9.30 via the wpie_import_upload_file_from_url AJAX action. The plugin's URL downloader first calls wp_safe_remote_get() (which correctly blocks private/reserved IP ranges), but when that call returns a WP_Error — the exact outcome for any blocked internal host — the Download::download_file() method falls back to GuzzleHttp\Client::request() with the original attacker-supplied URL...

Recent approved applications

Application Date Description Details
Actual on: Jul 05, 2026, 10:07:03

Jetpack – WP Security, Backup, Speed, & Growth

Jun 25, 2026, 16:06:39 Security and performance suites operate across many areas of a WordPress installation, including backups, malware scanning, content delivery, statistics, forms, and social publishing. That makes them operationally useful, but also security-sensitive because a broad plugin footprint can affect privileged settings, connected service tokens, public scripts, and administrator workflows. Jetpack - WP Security, Backup, Speed, and Growth version 15.9.1 has successfully completed the CleanTalk Plugin Security Certi...

Admin and Site Enhancements (ASE)

Jun 25, 2026, 16:06:39 Administrative enhancement plugins concentrate many privileged controls in one interface, including editor behavior, media tools, SMTP settings, menu changes, and site management modules. That makes them efficient for administrators, but also security-sensitive because broad settings can affect core WordPress behavior. Admin and Site Enhancements (ASE) version 8.8.5 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64673, confirming that the plugin was revi...

Really Simple CAPTCHA

Jun 25, 2026, 16:06:39 CAPTCHA helper plugins sit close to form submission flows, generated challenge files, temporary tokens, and validation results used by other plugins. That makes them useful against automated abuse, but also security-sensitive because weak file handling or predictable challenge behavior can affect public forms. Really Simple CAPTCHA version 2.4 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64669, confirming that the plugin was reviewed from a secure code...

Mailchimp for WooCommerce

Jun 25, 2026, 16:06:39 Email marketing integrations process order activity, customer profiles, product metadata, cart events, and API credentials. That makes them useful for store communication, but also security-sensitive because customer related data moves between WooCommerce and an external marketing platform. Mailchimp for WooCommerce version 6.1.1 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64671, confirming that the plugin was reviewed from a secure code perspective w...

Font Awesome

Jun 25, 2026, 16:06:39 Icon plugins affect the editor, public markup, scripts, styles, and sometimes external kit configuration. That makes them convenient for visual design, but also security-sensitive because stored icon settings and asset URLs can become part of the public HTML served to visitors. Font Awesome version 5.1.5 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64668, confirming that the plugin was reviewed from a secure code perspective with attention to common ex...

Pinterest for WooCommerce

Jun 25, 2026, 16:06:39 Commerce marketing integrations handle product data, tracking events, connected account settings, and background synchronization. That makes them valuable for store growth, but also security-sensitive because merchant configuration and catalog data can affect both customer privacy and public product visibility. Pinterest for WooCommerce version 1.4.27 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64670, confirming that the plugin was reviewed from a sec...

Facebook Chat Plugin &#8211; Live Chat Plugin for WordPress

Jun 25, 2026, 16:06:39 Live chat plugins add third-party scripts, public widgets, and administrator managed page identifiers to WordPress pages. That makes them useful for customer communication, but also security-sensitive because stored settings are rendered to visitors and external script behavior becomes part of the public site surface. Facebook Chat Plugin - Live Chat Plugin for WordPress version 2.5 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64667, confirming that th...

Page Optimize

Jun 25, 2026, 16:06:39 Page optimization plugins change how scripts, styles, and front-end resources are loaded. That makes them useful for performance, but also security-sensitive because optimized output becomes part of every public page and can affect forms, commerce, analytics, and security controls. Page Optimize version 0.6.3 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64674, confirming that the plugin was reviewed from a secure code perspective with attention to comm...

Advanced Google reCAPTCHA

Jun 25, 2026, 16:06:39 Anti-spam plugins protect login, registration, comment, and public form paths. That makes them useful against automated abuse, but also security-sensitive because enforcement failures can leave high-value endpoints exposed or block legitimate visitors from expected workflows. Advanced Google reCAPTCHA version 5.39 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64672, confirming that the plugin was reviewed from a secure code perspective with attention to...

Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode

May 26, 2026, 14:05:16 Coming soon and landing page builders sit at the intersection of front-end publishing, access control, template rendering, subscriber collection, SEO metadata, and administrator-managed design content. That makes them high-value from a marketing perspective, but also security-sensitive because builder content often becomes public HTML and mode controls can determine who can see the site. Website Builder by SeedProd version 6.20.1 has successfully completed the CleanTalk Plugin Security Certification process...