cleantalk

Vulnerabilities and Security Researches

Recent vulnerability researches

CVE/PSC Application Date Affected versions Description
Actual on: Dec 15, 2025, 17:12:21

CVE-2025-12667

GitHub Gist Shortcode Plugin

vulnerable

Dec 12, 2025, 13:12:28
Min -
Max 0.2
 The GitHub Gist Shortcode Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'gist' shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2025-12392

Cryptocurrency Payment Gateway for WooCommerce

vulnerable

Dec 12, 2025, 13:12:17
Min -
Max 2.0.22
 The Cryptocurrency Payment Gateway for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_optin_optout' function in all versions up to, and including, 2.0.22. This makes it possible for unauthenticated attackers to opt in and out of tracking.

CVE-2025-67582

Wbcom Designs – Private Community for BuddyPress

vulnerable

Dec 12, 2025, 13:12:07
Min -
Max 2.1.1
 Missing Authorization vulnerability in wbcomdesigns Wbcom Designs lock-my-bp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wbcom Designs: from n/a through <= 2.1.1.

CVE-2025-12589

WP-Walla

vulnerable

Dec 12, 2025, 13:12:04
Min -
Max 0.5.3.5
 The WP-Walla plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 0.5.3.5. This is due to missing nonce verification on the settings page and insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages via a forged request granted they can trick an administrator into performing an action such as clicking on a link.

CVE-2025-63055

Master Addons for Elementor

vulnerable

Dec 12, 2025, 13:12:02
Min -
Max 2.0.9.9
 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Liton Arefin Master Addons for Elementor master-addons allows Stored XSS.This issue affects Master Addons for Elementor: from n/a through <= 2.0.9.9.

CVE-2025-12652

Ungapped Widgets

vulnerable

Dec 12, 2025, 12:12:55
Min -
Max 1
 The Ungapped Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'prefillvalues' parameter in the ungapped-form shortcode in all versions up to, and including, 1. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute when a user accesses an injected page.

CVE-2025-12973

S2B AI Assistant &#8211; ChatGPT, OpenAI, Content &amp; Image Generator

vulnerable

Dec 12, 2025, 12:12:43
Min -
Max 1.7.9
 The S2B AI Assistant – ChatBot, ChatGPT, OpenAI, Content & Image Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the storeFile() function in all versions up to, and including, 1.7.8. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVE-2025-12894

Import WP – Export and Import CSV and XML files to WordPress

vulnerable

Dec 12, 2025, 08:12:40
Min -
Max 2.14.18
 The Import WP – Export and Import CSV and XML files to WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.14.17 via the import/export functionality and a lack of .htaccess protection. This makes it possible for unauthenticated attackers to extract sensitive data from exports stored in /exportwp and import data stored in /importwp.

CVE-2025-66090

SKT Skill Bar

vulnerable

Dec 11, 2025, 21:12:44
Min -
Max 2.5
 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Skill Bar skt-skill-bar allows DOM-Based XSS.This issue affects SKT Skill Bar: from n/a through <= 2.5.

CVE-2025-13682

Trail Manager

vulnerable

Dec 11, 2025, 21:12:41
Min -
Max 1.0.0
 The Trail Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Recent approved applications

Application Date Description Details
Actual on: Dec 15, 2025, 17:12:21

Redis Object Cache

Sep 17, 2025, 11:09:45 Redis Object Cache 2.6.5 is a persistent object cache backend powered by Redis, designed to enhance WordPress performance and scalability. It supports multiple PHP clients such as Predis, PhpRedis (PECL), and Relay, while offering advanced features like replication, sentinels, clustering, and seamless WP-CLI integration. Administrators can configure connection parameters, customize key prefixes, and set up replication or clustering to ensure optimal performance and reliability. For enterprise environments...

PDF Embedder

Sep 11, 2025, 11:09:45 PDF Embedder is a powerful WordPress plugin that allows you to upload and embed PDF files directly into posts and pages, offering seamless document presentation with responsive design. Unlike other plugins that rely on iframes, PDF Embedder uses a unique JavaScript-based rendering method that gives site administrators complete control over the look, sizing, and navigation of embedded PDFs. The plugin ensures that all PDF files and associated scripts are served from your own server, guaranteeing both faster...

Category Order and Taxonomy Terms Order

Sep 08, 2025, 11:09:45 Category Order and Taxonomy Terms Order is a lightweight yet powerful WordPress plugin that enables administrators to reorder categories and custom taxonomy terms with a drag-and-drop interface. Developed by Nsp-Code, this plugin enhances site structure and usability without requiring theme or plugin modifications. While primarily a tool for content organization, it also interacts directly with queries and the WordPress admin environment—areas where poorly implemented code could create vulnerabilities. Tha...

Meta pixel for WordPress

Sep 05, 2025, 10:09:48 Meta Pixel for WordPress is a lightweight and powerful plugin that allows website owners to easily integrate the Meta Pixel (formerly Facebook Pixel) into their WordPress site. With this plugin, site administrators can track critical events such as Lead, ViewContent, AddToCart, InitiateCheckout, and Purchase, while also leveraging the Conversions API for more reliable data collection. By combining the Pixel with the Conversions API, businesses can establish a direct, server-to-server connection with Meta s...

WP-PageNavi

Sep 05, 2025, 10:09:44 WP-PageNavi is one of the most widely used plugins for adding advanced paging navigation to WordPress. Instead of the basic “Older posts | Newer posts” links, it provides a more user-friendly and customizable pagination interface that improves navigation across archives, blogs, and multipage posts. With a long-standing reputation for reliability, WP-PageNavi is trusted by thousands of site owners to enhance usability. Now, with the Plugin Security Certification (PSC-2025-64594) by CleanTalk, WP-PageNavi ha...

Redux Framework

Aug 28, 2025, 11:08:45 The Redux Framework has long been the go-to options framework for WordPress developers. It provides an extensible, fully responsive environment for building option panels, customizer controls, and advanced UI fields for themes and plugins. By saving developers months of work, Redux accelerates innovation while maintaining a clean, standards-based architecture. With the release of version 4.5.7, Redux Framework has officially achieved the Plugin Security Certification (PSC-2025-64592) by CleanTalk, confirmi...

GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent)

Aug 26, 2025, 10:08:33 Ensuring compliance with GDPR, CCPA, DSGVO, and other global privacy regulations is critical for every WordPress-powered website. The GDPR Cookie Compliance plugin (v5.0.9) provides an all-in-one solution for cookie consent management, offering flexibility, transparency, and full compliance with international data protection laws. With its latest achievement, the plugin has been awarded the Plugin Security Certification (PSC-2025-64591) by CleanTalk, guaranteeing that its codebase is secure, hardened, and ...

WP Activity Log

Aug 21, 2025, 21:08:55 WP Activity Log is a powerful WordPress plugin designed to provide detailed, real-time logging of all activities across your WordPress sites and multisite networks. From user login attempts to changes in posts, plugins, themes, and settings, this plugin gives administrators full visibility into everything that happens on their websites. With its granular event tracking, WP Activity Log helps site owners improve security, accountability, compliance, and troubleshooting. Administrators can detect suspicious ...

Superb Addons &#8211; WordPress Editor Blocks &amp; Patterns and Elementor Sections &amp; Elements

Aug 21, 2025, 13:08:55 Now, with its successful completion of the Plugin Security Certification (PSC-2025-64588) by CleanTalk, Superb Addons not only delivers cutting-edge features but also guarantees code-level security and reliability. This certification proves that the plugin has been rigorously tested against the most common and dangerous vulnerabilities in the WordPress ecosystem.

PHP Compatibility Checker

Aug 21, 2025, 09:08:19 PHP Compatibility Checker is a WordPress plugin developed by WP Engine that helps site administrators and developers analyze their WordPress themes and plugins for compatibility with modern PHP versions. As WordPress continues to evolve, maintaining compatibility with supported PHP versions is a crucial factor for both performance and security. Outdated PHP releases no longer receive security updates, leaving websites at risk of vulnerabilities. This plugin empowers users to safely transition to newer PHP ...