cleantalk

Vulnerabilities and Security Researches

Recent vulnerability researches

CVE/PSC Application Date Affected versions Description
Actual on: Jul 02, 2026, 13:07:50

CVE-2026-12158

RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

vulnerable

Jul 02, 2026, 18:07:25
Min -
Max 6.0.9.2
The RegistrationMagic – User Registration Forms Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0.9.1. This is due to missing or incorrect nonce validation on the process_request function. This makes it possible for unauthenticated attackers to escalate the privileges of an arbitrary form submitter to administrator by creating a malicious Chronos automation task that is executed via WordPress cron via a forged request granted they can trick a s...

CVE-2026-57722

Enable Media Replace

vulnerable

Jul 02, 2026, 18:07:02
Min -
Max 4.2.2
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ShortPixel Enable Media Replace allows Stored XSS. This issue affects Enable Media Replace: from n/a through 4.2.1.

CVE-2026-13246

GiveWP – Donation Plugin and Fundraising Platform

vulnerable

Jul 02, 2026, 16:07:55
Min -
Max 4.16.1
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'block_id' (and other) shortcode attributes of the 'givewp_campaign_comments' shortcode in versions up to, and including, 4.16.0. This is due to insufficient input sanitization and output escaping on user supplied attributes in CampaignCommentsShortcode::parseAttributes() and BlockRenderController::render(), where the blockId value is interpolated directly into a single-quoted HTML...

CVE-2026-11981

GiveWP – Donation Plugin and Fundraising Platform

vulnerable

Jul 02, 2026, 16:07:55
Min -
Max 4.15.4
The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.15.3 This is due to missing nonce validation on the give_set_notification_status_handler() function. This makes it possible for unauthenticated attackers to disable donation email notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2026-5821

Image Optimizer by Elementor – Compress, Resize and Optimize Images

vulnerable

Jul 02, 2026, 14:07:54
Min -
Max 1.7.5
The Image Optimizer plugin for WordPress is vulnerable to arbitrary file deletion in versions up to and including 1.7.4. This is due to insufficient path validation in the Image_Backup::remove() function where backup file paths stored in post meta are used directly in file deletion operations without verifying they are within the uploads directory. The plugin stores backup file paths in the image_optimizer_metadata post meta field and trusts these paths completely when deleting backups on the delete_attachm...

CVE-2026-11988

LearnPress – WordPress LMS Plugin

vulnerable

Jul 02, 2026, 14:07:25
Min -
Max 4.4.0
The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.9.1 via the 'userId' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to view the course enrollment progress and completion data belonging to any instructor or administrator account on the site. This IDOR does not apply w...

CVE-2026-12732

LearnPress – WordPress LMS Plugin

vulnerable

Jul 02, 2026, 14:07:25
Min -
Max 4.4.1
The LearnPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_wrapper_form' shortcode attribute in versions up to, and including, 4.4.0. This is due to insufficient input sanitization and output escaping in the FilterCourseTemplate::sections() method at line 98, where the attacker-controlled attribute is inserted into an HTML class attribute via sprintf('<form class="%s">', $class_wrapper_form) without esc_attr() escaping. The FilterCourseShortcode::render() handler does no...

CVE-2026-13015

WP Google Review Slider

vulnerable

Jul 02, 2026, 13:07:33
Min -
Max 18.2
The Wp Google Places Review Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'place' parameter in versions up to, and including, 18.1. This is due to insufficient input sanitization and output escaping in admin/partials/googlecrawl_dfs.php, where the $_GET['place'] value is URL-decoded, stripslashes()'d, and echoed directly into an HTML value attribute with no esc_attr() call when the supplied place is not already a stored key in the wprev_google_crawls option. This makes ...

CVE-2026-12408

Slim SEO &#8211; Fast &amp; Automated WordPress SEO Plugin

vulnerable

Jul 02, 2026, 12:07:39
Min -
Max 4.9.9
The Slim SEO – A Fast & Automated SEO Plugin For WordPress plugin for WordPress is vulnerable to Unauthorized Private Content Disclosure in all versions up to, and including, 4.9.8 via the `/wp-json/slim-seo/meta-tags/ai` REST API endpoint. This is due to the endpoint's `permission_callback` performing only a top-level `edit_posts` capability check without verifying that the requesting user has read access to the specific post supplied via the `object.ID` parameter, allowing the `generate` function to pass ...

CVE-2026-7517

Custom Payment Gateways for WooCommerce

vulnerable

Jul 02, 2026, 12:07:30
Min -
Max 2.2.0
The Custom Payment Gateways for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'alg_wc_cpg_input_fields' parameter in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability is exploitable by unauthenticated guest users submitting a crafted checkout POST...

Recent approved applications

Application Date Description Details
Actual on: Jul 02, 2026, 13:07:50

Jetpack – WP Security, Backup, Speed, & Growth

Jun 25, 2026, 16:06:39 Security and performance suites operate across many areas of a WordPress installation, including backups, malware scanning, content delivery, statistics, forms, and social publishing. That makes them operationally useful, but also security-sensitive because a broad plugin footprint can affect privileged settings, connected service tokens, public scripts, and administrator workflows. Jetpack - WP Security, Backup, Speed, and Growth version 15.9.1 has successfully completed the CleanTalk Plugin Security Certi...

Admin and Site Enhancements (ASE)

Jun 25, 2026, 16:06:39 Administrative enhancement plugins concentrate many privileged controls in one interface, including editor behavior, media tools, SMTP settings, menu changes, and site management modules. That makes them efficient for administrators, but also security-sensitive because broad settings can affect core WordPress behavior. Admin and Site Enhancements (ASE) version 8.8.5 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64673, confirming that the plugin was revi...

Really Simple CAPTCHA

Jun 25, 2026, 16:06:39 CAPTCHA helper plugins sit close to form submission flows, generated challenge files, temporary tokens, and validation results used by other plugins. That makes them useful against automated abuse, but also security-sensitive because weak file handling or predictable challenge behavior can affect public forms. Really Simple CAPTCHA version 2.4 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64669, confirming that the plugin was reviewed from a secure code...

Mailchimp for WooCommerce

Jun 25, 2026, 16:06:39 Email marketing integrations process order activity, customer profiles, product metadata, cart events, and API credentials. That makes them useful for store communication, but also security-sensitive because customer related data moves between WooCommerce and an external marketing platform. Mailchimp for WooCommerce version 6.1.1 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64671, confirming that the plugin was reviewed from a secure code perspective w...

Font Awesome

Jun 25, 2026, 16:06:39 Icon plugins affect the editor, public markup, scripts, styles, and sometimes external kit configuration. That makes them convenient for visual design, but also security-sensitive because stored icon settings and asset URLs can become part of the public HTML served to visitors. Font Awesome version 5.1.5 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64668, confirming that the plugin was reviewed from a secure code perspective with attention to common ex...

Pinterest for WooCommerce

Jun 25, 2026, 16:06:39 Commerce marketing integrations handle product data, tracking events, connected account settings, and background synchronization. That makes them valuable for store growth, but also security-sensitive because merchant configuration and catalog data can affect both customer privacy and public product visibility. Pinterest for WooCommerce version 1.4.27 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64670, confirming that the plugin was reviewed from a sec...

Facebook Chat Plugin &#8211; Live Chat Plugin for WordPress

Jun 25, 2026, 16:06:39 Live chat plugins add third-party scripts, public widgets, and administrator managed page identifiers to WordPress pages. That makes them useful for customer communication, but also security-sensitive because stored settings are rendered to visitors and external script behavior becomes part of the public site surface. Facebook Chat Plugin - Live Chat Plugin for WordPress version 2.5 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64667, confirming that th...

Page Optimize

Jun 25, 2026, 16:06:39 Page optimization plugins change how scripts, styles, and front-end resources are loaded. That makes them useful for performance, but also security-sensitive because optimized output becomes part of every public page and can affect forms, commerce, analytics, and security controls. Page Optimize version 0.6.3 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64674, confirming that the plugin was reviewed from a secure code perspective with attention to comm...

Advanced Google reCAPTCHA

Jun 25, 2026, 16:06:39 Anti-spam plugins protect login, registration, comment, and public form paths. That makes them useful against automated abuse, but also security-sensitive because enforcement failures can leave high-value endpoints exposed or block legitimate visitors from expected workflows. Advanced Google reCAPTCHA version 5.39 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64672, confirming that the plugin was reviewed from a secure code perspective with attention to...

Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode

May 26, 2026, 14:05:16 Coming soon and landing page builders sit at the intersection of front-end publishing, access control, template rendering, subscriber collection, SEO metadata, and administrator-managed design content. That makes them high-value from a marketing perspective, but also security-sensitive because builder content often becomes public HTML and mode controls can determine who can see the site. Website Builder by SeedProd version 6.20.1 has successfully completed the CleanTalk Plugin Security Certification process...