cleantalk

Vulnerabilities and Security Researches

Recent vulnerability researches

CVE/PSC Application Date Affected versions Description
Actual on: Mar 10, 2025, 21:03:41

CVE-2024-10326

RomethemeKit For Elementor

vulnerable

Mar 10, 2025, 16:03:29
Min -
Max 1.5.4
 The RomethemeKit For Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_options and reset_widgets functions in all versions up to, and including, 1.5.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings or reset plugin widgets to their default state (all enabled). NOTE: This vulnerability was partially fixed in version 1.5.3.

CVE-2025-1926

Page Builder: Pagelayer – Drag and Drop website builder

vulnerable

Mar 10, 2025, 16:03:18
Min -
Max 1.9.9
 The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.8. This is due to missing or incorrect nonce validation on the pagelayer_save_post function. This makes it possible for unauthenticated attackers to modify post contents via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2025-1481

Shortcode Cleaner Lite

vulnerable

Mar 09, 2025, 19:03:54
Min -
Max 1.0.9
 The Shortcode Cleaner Lite plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the download_backup() function in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export arbitrary options.

CVE-2024-10321

All-in-One Addons for Elementor – WidgetKit

vulnerable

Mar 09, 2025, 18:03:31
Min -
Max 2.5.4
 The All-in-One Addons for Elementor – WidgetKit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.5.4 in elements/advanced-tab/template/view.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data.

CVE-2024-13908

SMTP by BestWebSoft

vulnerable

Mar 09, 2025, 18:03:27
Min -
Max 1.2.0
 The SMTP by BestWebSoft plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_options' function in all versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVE-2024-11087

WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn)

vulnerable

Mar 09, 2025, 16:03:55
Min -
Max 200.3.9
 The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) Pro Addon plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 200.3.9. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username and the user does not have an already-existing account for the ...

CVE-2024-9458

Reservit Hotel

vulnerable

Mar 09, 2025, 14:03:59
Min -
Max 3.0
 The Reservit Hotel WordPress plugin before 3.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

CVE-2024-12460

Years Since

vulnerable

Mar 09, 2025, 14:03:43
Min -
Max 1.4.1
 The Years Since – Timeless Texts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'years-since' shortcode in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2024-13675

SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels)

vulnerable

Mar 09, 2025, 13:03:57
Min -
Max 1.6.0
 The SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the "Icon List" Block in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2024-13890

Allow PHP Execute

vulnerable

Mar 09, 2025, 13:03:51
Min -
Max 1.0
 The Allow PHP Execute plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.0. This is due to allowing PHP code to be entered by all users for whom unfiltered HTML is allowed. This makes it possible for authenticated attackers, with Editor-level access and above, to inject PHP code into posts and pages.

Recent approved applications

Application Date Description Details
Actual on: Mar 10, 2025, 21:03:41

Maintenance

Feb 26, 2025, 18:02:05 <p>Maintenance plugin allows the WordPress site administrator to close the website for maintenance, enable &#8220;503 Service temporarily unavailable”, set a temporary page with authorization, which can be edited via the plugin settings. Easy customize the good look on all devices. Add your logo, background image, select the desired color, add text. Maintenance uses Bunny Fonts for EU GDPR compliance.</p> <p>Need <strong>pre-made themes</strong> and over 3 million free images to build maintenance, coming so...

Sucuri Security &#8211; Auditing, Malware Scanner and Security Hardening

Feb 24, 2025, 15:02:56 <p>Sucuri Inc. is a globally recognized authority in all matters related to website security, with specialization in WordPress Security.</p> <p>The Sucuri Security WordPress plugin is free to all WordPress users. It is a security suite meant to complement your existing security posture. Currently the ownership of this plugin was transferred to GoDaddy.<br /> It offers its users a set of security features for their website, each designed to have a positive effect on their security posture:</p> <ul> <li>Secur...

CookieYes &#8211; Cookie Banner for Cookie Consent (Easy to setup GDPR/CCPA Compliant Cookie Notice)

Feb 17, 2025, 21:02:02 <p>The CookieYes GDPR Cookie Consent plugin simplifies GDPR (RGPD, DSVGO) compliance by seamlessly integrating a cookie banner into your website.</p> <p>Additionally, it offers support for various global privacy regulations, including LGPD (Brazil), CNIL (France), PIPEDA (Canada), Law 25 (Quebec), POPIA (South Africa), nFADP (Switzerland), Privacy Act (Australia), PDPL (Saudi Arabia), PDPL (Argentina), PDPL (Andorra), DPA (Faroe Islands), and the California Consumer Privacy Act (CCPA/CPRA). It&#8217;s also ...

Safe SVG

Feb 17, 2025, 20:02:32 <p>Safe SVG is the best way to Allow SVG Uploads in WordPress!</p> <p>It gives you the ability to allow SVG uploads whilst making sure that they&#8217;re sanitized to stop SVG/XML vulnerabilities affecting your site. It also gives you the ability to preview your uploaded SVGs in the media library in all views.</p> <h4>Current Features</h4> <ul> <li><strong>Sanitised SVGs</strong> &#8211; Don&#8217;t open up security holes in your WordPress site by allowing uploads of unsanitised files.</li> <li><strong>SVG...

TablePress &#8211; Tables in WordPress made easy

Feb 17, 2025, 20:02:28 <p><strong>Boost your website with feature-rich tables that your visitors will love!</strong></p> <p>TablePress is the most popular and highest-rated WordPress table plugin.</p> <ul> <li>Easily create, edit, and manage <strong>beautiful and modern</strong> data tables, no matter if <strong>small or large</strong>!</li> <li>Add live <strong>sorting</strong>, <strong>pagination</strong>, <strong>searching</strong>, and more interactivity for your site’s visitors!</li> <li>Use any type of data, insert <strong>...

Breadcrumb NavXT

Feb 04, 2025, 16:02:54 <p>Breadcrumb NavXT, the successor to the popular WordPress plugin Breadcrumb Navigation XT, was written from the ground up to be better than its ancestor. This plugin generates locational breadcrumb trails for your WordPress powered blog or website. These breadcrumb trails are highly customizable to suit the needs of just about any website running WordPress. The Administrative interface makes setting options easy, while a direct class access is available for theme developers and more adventurous users.</p>...

ManageWP Worker

Jan 29, 2025, 18:01:14 <p>So you&#8217;re looking for a better way to manage WordPress websites? We have you covered! <a href="https://managewp.com/" title="Manage Multiple WordPress Websites" rel="nofollow ugc">ManageWP</a> is a dashboard that helps you save time and nerves by automating your workflow, so you could focus on things that matter. It is fast, secure and free for an unlimited number of websites.</p> <h4>Everything in One Place</h4> <p>Just the hassle of logging into each of your websites is enough to ruin your day. M...

Antispam Bee

Jan 23, 2025, 19:01:33 <p>Say Goodbye to comment spam on your WordPress blog or website. <em>Antispam Bee</em> blocks spam comments and trackbacks effectively, without captchas and without sending personal information to third party services. It is free of charge, ad-free and 100% GDPR compliant.</p> <h3>Feature/Settings Overview</h3> <ul> <li>Trust approved commenters.</li> <li>Trust commenters with a Gravatar.</li> <li>Consider the comment time.</li> <li>Allow comments only in a certain language.</li> <li>Block or allow comment...

Loginizer

Jan 20, 2025, 17:01:42 <p>Loginizer is a WordPress plugin which helps you fight against bruteforce attack by blocking login for the IP after it reaches maximum retries allowed. You can blacklist or whitelist IPs for login using Loginizer. You can use various other features like Two Factor Auth, reCAPTCHA, PasswordLess Login, etc. to improve security of your website.</p> <p>Loginizer is actively used by more than 1000000+ WordPress websites.</p> <p>You can find our official documentation at <a href="https://loginizer.com/docs" rel...

Rank Math SEO with AI SEO Tools

Jan 16, 2025, 19:01:20 <h3>Rank Math SEO &#8211; Best SEO Plugin for WordPress</h3> <p><strong>1st WordPress SEO Plugin to use AI (Artificial Intelligence)</strong> ?<br /> ★★★★★</p> <p><strong>SEO is the most consistent source of traffic for any website.</strong> We created <a href="https://rankmath.com/wordpress/plugin/seo-suite/?utm_source=LP&amp;utm_campaign=WP" rel="nofollow ugc"><strong>Rank Math, a WordPress SEO plugin</strong></a> with AI SEO features better than ChatGPT, to help every website owner get access to the SEO ...