cleantalk

Vulnerabilities and Security Researches

Recent vulnerability researches

CVE/PSC Application Date Affected versions Description
Actual on: Jun 14, 2025, 03:06:57

CVE-2025-5482

Sunshine Photo Cart: Free Client Galleries for Photographers

vulnerable

Jun 13, 2025, 10:06:32
Min -
Max 3.4.12
 The Sunshine Photo Cart: Free Client Photo Galleries for Photographers plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.11. This is due to the plugin not properly validating a user-supplied key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's passwords through the password reset functionality, including administrators, and leverage that to reset the user's password ...

CVE-2025-5235

OpenSheetMusicDisplay

vulnerable

Jun 13, 2025, 02:06:02
Min -
Max 1.4.1
 The OpenSheetMusicDisplay plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 1.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2025-47673

Arconix Shortcodes

vulnerable

Jun 12, 2025, 05:06:36
Min -
Max 2.1.17
 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tychesoftwares Arconix Shortcodes allows Reflected XSS. This issue affects Arconix Shortcodes: from n/a through 2.1.16.

CVE-2025-4611

Slim SEO – Fast & Automated WordPress SEO Plugin

vulnerable

Jun 12, 2025, 04:06:32
Min -
Max 4.5.4
 The Slim SEO – Fast & Automated WordPress SEO Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's slim_seo_breadcrumbs shortcode in all versions up to, and including, 4.5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2025-48280

AutomatorWP – The #1 automator plugin for no-code automation in WordPress

vulnerable

Jun 11, 2025, 14:06:34
Min -
Max 5.2.2
 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ruben Garcia AutomatorWP allows Blind SQL Injection. This issue affects AutomatorWP: from n/a through 5.2.1.3.

CVE-2025-3750

Network Posts Extended

vulnerable

Jun 11, 2025, 07:06:45
Min -
Max 7.7.1
 The Network Posts Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘post_height’ parameter in all versions up to, and including, 7.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2025-4431

Featured Image Plus

vulnerable

Jun 10, 2025, 07:06:49
Min -
Max 1.6.3
 The Featured Image Plus – Quick & Bulk Edit with Unsplash plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fip_save_attach_featured function in all versions up to, and including, 1.6.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update featured image of any post.

CVE-2025-47504

Products per Page for WooCommerce

vulnerable

Jun 10, 2025, 03:06:35
Min -
Max 2.5.0
 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Custom Checkout Fields for WooCommerce allows Stored XSS. This issue affects Custom Checkout Fields for WooCommerce: from n/a through 1.8.3.

CVE-2025-47504

Min Max Default Quantity for WooCommerce

vulnerable

Jun 09, 2025, 05:06:38
Min -
Max 5.0.4
 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Custom Checkout Fields for WooCommerce allows Stored XSS. This issue affects Custom Checkout Fields for WooCommerce: from n/a through 1.8.3.

CVE-2025-49076

The Plus Addons for Elementor

vulnerable

Jun 06, 2025, 19:06:22
Min -
Max 6.2.8
 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in POSIMYTH Innovations The Plus Addons for Elementor Page Builder Lite allows Stored XSS.This issue affects The Plus Addons for Elementor Page Builder Lite: from n/a through 6.2.7.

Recent approved applications

Application Date Description Details
Actual on: Jun 14, 2025, 03:06:57

Solid Security – Password, Two Factor Authentication, and Brute Force Protection

May 29, 2025, 17:05:55 <h4>Reduce your WordPress website’s risk to nearly zero with Solid Security</h4> <p><a href="https://go.solidwp.com/wporg-security-ithemes" rel="nofollow ugc">Formerly iThemes Security. Looking for iThemes? Learn more here.</a></p> <p>On average, 30,000 websites are hacked every day.* Cyberattacks in the US increased by 57% in 2022.** Bad actors who want to hack your site, steal your data, and cripple your business are a 24/7/365 threat.</p> <p>You need a proactive, strategic approach to WordPress website s...

WP Statistics

May 27, 2025, 20:05:03 <h4>WP Statistics: THE #1 WORDPRESS STATISTICS PLUGIN</h4> <p>Do you need a simple tool to know your website statistics? Do you need to represent these statistics? Are you caring about your users’ privacy while analyzing who are interested in your business or website? With WP Statistics you can know your website statistics without any need to send your users’ data anywhere. You can know how many people visit your personal or business website, where they’re coming from, what browsers and search engines they ...

Hostinger

May 27, 2025, 20:05:00 <p>Hostinger&#8217;s Onboarding Plugin transforms the way you <a href="https://www.hostinger.com/tutorials/launch-a-wordpress-site" rel="nofollow ugc">launch your WordPress site</a>. Crafted for an effortless user experience, it guides you through the essential steps of website setup and personalization. Whether you&#8217;re adjusting settings or exploring new tools, a single click is all it takes to guide you to the right place.</p> <p>Dive into a hassle-free WordPress setup by installing our plugin. Here&...

BackWPup &#8211; WordPress Backup Plugin

May 27, 2025, 19:05:57 <p>The <strong>backup plugin</strong> <strong><a href="https://backwpup.com/" rel="nofollow ugc">BackWPup</a></strong> can be used to save your complete installation including /wp-content/ and push them to an external Backup Service, like <strong>Dropbox</strong>, <strong>S3</strong>, <strong>FTP</strong> and many more, see list below. With a single backup .zip file you are able to easily restore an installation.</p> <p>Please understand: this free version will not be supported as well as the <a href="https...

Header Footer Code Manager

May 20, 2025, 20:05:00 <p>Header Footer Code Manager by 99 Robots is a easy interface to add snippets to the header or footer or above or below the content of your page.</p> <h4>BENEFITS</h4> <ul> <li>Never have to worry about inadvertently breaking your site by adding code</li> <li>Avoid inadvertently placing snippets in the wrong place</li> <li>Eliminate the need for a dozen or more silly plugins just to add a small code snippet &#8211; Less plugins is always better!</li> <li>Never lose your code snippets when switching or chan...

Widgets for Google Reviews

May 06, 2025, 19:05:29 <p>Display your <strong>Google Reviews</strong> for free with our responsive widgets in 2 minutes.</p> <p>The plugin displays your <strong>Google Reviews</strong> in amazing predesigned widgets. You can simply create and display your own widgets, and filter your reviews to build customers&#8217; trust and increase SEO.</p> <div class="embed-vimeo" style="text-align: center;"><iframe loading="lazy" src="https://player.vimeo.com/video/506419798" width="640" height="360" frameborder="0" webkitallowfullscreen m...

JetBackup &#8211; WP Backup, Migrate &amp; Restore

May 05, 2025, 10:05:34 <p>JetBackup is the most complete backup and migration choice for WordPress. We offer the easiest way to <strong>backup</strong>, <strong>restore</strong> and <strong>migrate</strong> your WordPress based website or blog. You can backup/migrate your files, database or both.</p> <p>Download <strong>JetBackup premium versions</strong> here: <a href="https://www.jetbackup.com/jetbackup-for-wordpress" rel="nofollow ugc">https://www.jetbackup.com/jetbackup-for-wordpress</a>.</p> <h4>See JetBackup in Action Here!...

Simple Custom CSS and JS

Apr 25, 2025, 00:04:55 <p>Customize your WordPress site&#8217;s appearance by easily adding custom CSS and JS code without even having to modify your theme or plugin files. This is perfect for adding custom CSS tweaks to your site.</p> <h4>Features</h4> <ul> <li><strong>Text editor</strong> with syntax highlighting </li> <li>Print the code <strong>inline</strong> or included into an <strong>external file</strong></li> <li>Print the code in the <strong>header</strong> or the <strong>footer</strong></li> <li>Add CSS or JS to the <s...

WooCommerce Shipping &amp; Tax

Apr 21, 2025, 19:04:49 <p>WooCommerce Shipping &amp; Tax makes basic eCommerce features like shipping more reliable by taking the burden off of your site’s infrastructure.</p> <p>With WooCommerce Shipping &amp; Tax, critical services are hosted on Automattic’s best-in-class infrastructure, rather than relying on your store’s hosting. That means your store will be more stable and faster.<br /> To use the features, simply install this plugin and activate the ones you want directly in your dashboard. As we add more services, you’ll ...

Flamingo

Apr 16, 2025, 10:04:34 <p>Flamingo is a message storage plugin originally created for <a href="https://wordpress.org/plugins/contact-form-7/" rel="ugc">Contact Form 7</a>, which doesn&#8217;t store submitted messages.</p> <p>After activation of the plugin, you&#8217;ll find <em>Flamingo</em> on the WordPress admin screen menu. All messages through contact forms are listed there and are searchable. With Flamingo, you are no longer need to worry about losing important messages due to mail server issues or misconfiguration in mail s...