Vulnerabilities and Security Researches

Recent vulnerability researches
CVE/PSC	Application	Date	Affected versions	Description
			Actual on: Jun 11, 2026, 03:06:14
CVE-2026-9662	Recover Exit For WooCommerce vulnerable	Jun 11, 2026, 05:06:33	Min - Max 1.0.3	The Recover Exit For WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to and including 1.0.3. This is due to insufficient validation and sanitization of the user-controlled `tpf` POST parameter before it is used in an `include()` path in the `recover_exit()` function. This makes it possible for unauthenticated attackers to perform path traversal and include unintended local PHP files, which can lead to sensitive information exposure and, in certain deployment chains,...
CVE-2026-48873	Montonio for WooCommerce vulnerable	Jun 11, 2026, 04:06:35	Min - Max 10.1.3	Montonio for WooCommerce [montonio-for-woocommerce] < 10.1.3 CVE-2026-48873
CVE-2024-58348	Background Image Cropper vulnerable	Jun 11, 2026, 04:06:22	Min - Max 1.2	WordPress Background Image Cropper version 1.2 contains a remote code execution vulnerability that allows unauthenticated attackers to upload arbitrary files by accessing the ups.php endpoint. Attackers can upload PHP files through the file upload form in the plugin directory to execute arbitrary code on the server.
CVE-2026-48964	ELEX WordPress HelpDesk & Customer Ticketing System vulnerable	Jun 11, 2026, 04:06:19	Min - Max 3.3.7	ELEX WordPress HelpDesk & Customer Ticketing System [elex-helpdesk-customer-support-ticket-system] < 3.3.7 CVE-2026-48964
CVE-2026-8499	Helpfulcrowd Product Reviews vulnerable	Jun 11, 2026, 03:06:01	Min - Max 1.2.9	The Helpfulcrowd Product Reviews plugin for WordPress is vulnerable to Authorization Bypass via PHP Type Juggling in versions up to, and including, 1.2.9. This is due to the `helpfulcrowd_validate_token()` function using a loose comparison operator (`!=`) instead of a strict comparison (`!==`) when validating the `token` parameter, while the corresponding REST route `/wp-json/helpfulcrowd/v1/update-settings` is registered with a `permission_callback` of `__return_true`, making it reachable by unauthenticate...
CVE-2026-8883	Global Body Mass Index Calculator vulnerable	Jun 11, 2026, 02:06:56	Min - Max 1.2	The Global Body Mass Index Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gbmicalc' shortcode in versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes in the GBMI_Calc_Widget::widget() function. Shortcode attributes are extracted directly into local variables via @extract($args) and then echoed unescaped into an HTML style attribute (height/width) and HTML body context (title), allow...
CVE-2026-9185	6Storage Rentals vulnerable	Jun 11, 2026, 02:06:25	Min - Max 2.22.0	The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.22.0 via the `userId` parameter of the `six_storage_get_user_info` and `six_storage_update_profile` AJAX actions. This is due to the `six_storage_getUserInfo()` and `six_storage_updateProfile()` functions being registered on `wp_ajax_nopriv_*` hooks and accepting a tenant identifier directly from `$_POST['userId']` without performing any ownership verification, se...
CVE-2026-49770	WP Travel Engine – Best Travel Booking WordPress Plugin vulnerable	Jun 11, 2026, 02:06:16	Min - Max 6.8.0	WP Travel Engine – Tour Booking Plugin – Tour Operator Software [wp-travel-engine] < 6.8.0 CVE-2026-49770
CVE-2026-39435	cformsII vulnerable	Jun 11, 2026, 01:06:27	Min - Max 15.1.4	cformsII [cforms2] < 15.1.4 CVE-2026-39435
CVE-2026-49106	Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms vulnerable	Jun 11, 2026, 01:06:25	Min - Max 1.1.7	Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms [cf7-constant-contact] < 1.1.7 CVE-2026-49106

Recent approved applications
Application	Date	Description	Details
			Actual on: Jun 11, 2026, 03:06:14
Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode	May 26, 2026, 14:05:16	Coming soon and landing page builders sit at the intersection of front-end publishing, access control, template rendering, subscriber collection, SEO metadata, and administrator-managed design content. That makes them high-value from a marketing perspective, but also security-sensitive because builder content often becomes public HTML and mode controls can determine who can see the site. Website Builder by SeedProd version 6.20.1 has successfully completed the CleanTalk Plugin Security Certification process...
Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels	May 26, 2026, 14:05:15	Image import plugins bridge WordPress with external media providers, proxy services, remote image URLs, metadata processing, and the local Media Library. That workflow improves publishing speed, but it also expands the attack surface around remote downloads, MIME validation, alt text and caption handling, attribution metadata, and editor integrations. Instant Images version 7.1.1 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64662, confirming that the p...
Custom Fonts – Host Your Fonts Locally	May 26, 2026, 14:05:13	Typography plugins appear presentation-oriented, but their core workflows involve file uploads, local asset hosting, generated CSS, editor integration, and front-end output. That combination can become security-sensitive when font files, font names, CSS rules, and generated asset paths are accepted from administrators or imported from external providers. Custom Fonts version 2.1.17 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64660, confirming that the...
FluentSMTP – WP Mail SMTP, Amazon SES, SendGrid, MailGun and Any SMTP Connector Plugin	May 26, 2026, 14:05:11	SMTP and email routing plugins hold highly sensitive operational data because they connect WordPress to external mail infrastructure, API credentials, OAuth-based providers, email logs, and resend workflows. Weak controls in this layer can expose tokens, disclose private email content, alter transactional mail routing, or allow unauthorized users to resend messages. FluentSMTP version 2.2.95 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64658, confirmin...
SiteGuard WP Plugin	May 26, 2026, 14:05:10	Login hardening plugins operate directly on WordPress authentication, administration access, CAPTCHA behavior, lockout logic, and security notifications. That position gives them defensive value, but it also creates a high-impact attack surface: weak validation or unsafe configuration handling can cause lockout bypass, administrator denial of service, sensitive path disclosure, or unauthorized modification of protection rules. SiteGuard WP Plugin version 1.7.12 has successfully completed the CleanTalk Plugi...
Advanced Editor Tools	May 01, 2026, 14:05:56	Editor enhancement plugins operate directly on the boundary between content creation, rich-text formatting, block editor behavior, Classic Editor compatibility, and front-end rendering. These plugins influence how authors create content, how formatting is stored, how editor settings are applied, and how HTML produced by rich-text tools eventually appears on public pages. A weakness in this class of plugin can lead to stored XSS through editor content or settings, unauthorized configuration changes, unsafe h...
Really Simple SSL	May 01, 2026, 14:05:56	Security and SSL enforcement plugins operate across some of the most sensitive trust boundaries in WordPress because they can influence HTTPS migration, redirect behavior, security headers, login protection, two-factor authentication, vulnerability detection, and site hardening controls. Weaknesses in this class of plugin can affect confidentiality, session safety, authentication integrity, administrative access control, or the reliability of security configuration across the entire site. Really Simple Secu...
WP Booking Calendar	Apr 28, 2026, 17:04:40	Booking and reservation plugins operate across a sensitive boundary between public form submission, calendar availability, customer-provided booking data, admin-side reservation management, and in some configurations external calendar synchronization. These plugins often process names, contact details, selected dates, time slots, service requests, event information, and notification templates, while also controlling whether a date or resource can be booked. A weakness in this class of plugin can lead to sto...
UiCore Animate	Apr 28, 2026, 17:04:40	Animation and interaction plugins operate on a sensitive boundary between front-end rendering, visual builder controls, Gutenberg block behavior, Elementor widget configuration, and client-side JavaScript execution. These plugins often modify how content appears, moves, loads, transitions between pages, and reacts to scrolling or user interaction. A weakness in this class of plugin can lead to stored XSS through animation settings, unsafe rendering of visual effects, unauthorized modification of design beha...
YayMail – WooCommerce Email Customizer	Apr 28, 2026, 17:04:40	WooCommerce email customization plugins operate on a sensitive boundary between order data, customer communication, template rendering, and admin-side content editing. These plugins often process customer names, billing and shipping details, order metadata, payment-related labels, coupons, custom fields, and transactional email content. A weakness in this class of plugin can lead to stored XSS in email templates or admin previews, unauthorized modification of transactional communications, data leakage throu...

Recent vulnerability researches

Recent approved applications