Vulnerabilities and Security Researches

Recent vulnerability researches
CVE/PSC	Application	Date	Affected versions	Description
			Actual on: Jun 13, 2026, 00:06:29
CVE-2023-33999	Error Log Monitor vulnerable	Jun 13, 2026, 05:06:27	Min - Max 1.7.7	Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS. This issue affects WP Mail Log: from n/a through 1.0.2.
CVE-2023-33999	Stackable – Page Builder Gutenberg Blocks vulnerable	Jun 13, 2026, 05:06:22	Min - Max 3.10.0	Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS. This issue affects WP Mail Log: from n/a through 1.0.2.
CVE-2023-33999	WordPress Translation plugin for Post, Pages & WooCommerce products. Tranzly IO AI DeepL automatic WordPress Translator. vulnerable	Jun 13, 2026, 05:06:06	Min - Max 2.0.0	Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS. This issue affects WP Mail Log: from n/a through 1.0.2.
CVE-2023-33999	Divi Forms Styler – Gravity Forms, Fluent Forms & Contact Form 7 vulnerable	Jun 13, 2026, 05:06:05	Min - Max 1.3.3	Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS. This issue affects WP Mail Log: from n/a through 1.0.2.
CVE-2023-33999	EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg vulnerable	Jun 13, 2026, 05:06:03	Min - Max 2.0.3	Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS. This issue affects WP Mail Log: from n/a through 1.0.2.
CVE-2026-48872	EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg vulnerable	Jun 13, 2026, 05:06:03	Min - Max 4.5.3	EmbedPress – PDF Embedder, Embed PDF viewer, YouTube Videos, 3D FlipBook, Social feeds & more [embedpress] < 4.5.3 CVE-2026-48872
CVE-2022-44630	YITH WooCommerce Ajax Search vulnerable	Jun 13, 2026, 04:06:58	Min - Max 1.25.1	Cross-Site request forgery (CSRF) vulnerability in YITH YITH WooCommerce Product Slider Carousel allows Cross Site Request Forgery. This issue affects YITH WooCommerce Product Slider Carousel: from n/a through 1.16.0.
CVE-2023-33999	Auto Robot – WP Autoblogging and RSS Feed News Aggregator vulnerable	Jun 13, 2026, 04:06:57	Min - Max 3.6.43	Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS. This issue affects WP Mail Log: from n/a through 1.0.2.
CVE-2026-3220	Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer vulnerable	Jun 13, 2026, 04:06:56	Min - Max 2.4.2	The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin before 2.4.2, Speed Optimizer WordPress plugin before 7.7.9 are vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) due to a predictable replacement hash used during the HTML minification process and abusing a regular expression. This allows an attacker to inject arbitrary HTML attributes in the final HTML output by anticipating the placeholder format.
CVE-2023-33999	Migrate WordPress Website & Backups – Prime Mover vulnerable	Jun 13, 2026, 04:06:47	Min - Max 1.8.8	Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS. This issue affects WP Mail Log: from n/a through 1.0.2.

Recent approved applications
Application	Date	Description	Details
			Actual on: Jun 13, 2026, 00:06:29
Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode	May 26, 2026, 14:05:16	Coming soon and landing page builders sit at the intersection of front-end publishing, access control, template rendering, subscriber collection, SEO metadata, and administrator-managed design content. That makes them high-value from a marketing perspective, but also security-sensitive because builder content often becomes public HTML and mode controls can determine who can see the site. Website Builder by SeedProd version 6.20.1 has successfully completed the CleanTalk Plugin Security Certification process...
Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels	May 26, 2026, 14:05:15	Image import plugins bridge WordPress with external media providers, proxy services, remote image URLs, metadata processing, and the local Media Library. That workflow improves publishing speed, but it also expands the attack surface around remote downloads, MIME validation, alt text and caption handling, attribution metadata, and editor integrations. Instant Images version 7.1.1 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64662, confirming that the p...
Custom Fonts – Host Your Fonts Locally	May 26, 2026, 14:05:13	Typography plugins appear presentation-oriented, but their core workflows involve file uploads, local asset hosting, generated CSS, editor integration, and front-end output. That combination can become security-sensitive when font files, font names, CSS rules, and generated asset paths are accepted from administrators or imported from external providers. Custom Fonts version 2.1.17 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64660, confirming that the...
FluentSMTP – WP Mail SMTP, Amazon SES, SendGrid, MailGun and Any SMTP Connector Plugin	May 26, 2026, 14:05:11	SMTP and email routing plugins hold highly sensitive operational data because they connect WordPress to external mail infrastructure, API credentials, OAuth-based providers, email logs, and resend workflows. Weak controls in this layer can expose tokens, disclose private email content, alter transactional mail routing, or allow unauthorized users to resend messages. FluentSMTP version 2.2.95 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64658, confirmin...
SiteGuard WP Plugin	May 26, 2026, 14:05:10	Login hardening plugins operate directly on WordPress authentication, administration access, CAPTCHA behavior, lockout logic, and security notifications. That position gives them defensive value, but it also creates a high-impact attack surface: weak validation or unsafe configuration handling can cause lockout bypass, administrator denial of service, sensitive path disclosure, or unauthorized modification of protection rules. SiteGuard WP Plugin version 1.7.12 has successfully completed the CleanTalk Plugi...
Advanced Editor Tools	May 01, 2026, 14:05:56	Editor enhancement plugins operate directly on the boundary between content creation, rich-text formatting, block editor behavior, Classic Editor compatibility, and front-end rendering. These plugins influence how authors create content, how formatting is stored, how editor settings are applied, and how HTML produced by rich-text tools eventually appears on public pages. A weakness in this class of plugin can lead to stored XSS through editor content or settings, unauthorized configuration changes, unsafe h...
Really Simple SSL	May 01, 2026, 14:05:56	Security and SSL enforcement plugins operate across some of the most sensitive trust boundaries in WordPress because they can influence HTTPS migration, redirect behavior, security headers, login protection, two-factor authentication, vulnerability detection, and site hardening controls. Weaknesses in this class of plugin can affect confidentiality, session safety, authentication integrity, administrative access control, or the reliability of security configuration across the entire site. Really Simple Secu...
WP Booking Calendar	Apr 28, 2026, 17:04:40	Booking and reservation plugins operate across a sensitive boundary between public form submission, calendar availability, customer-provided booking data, admin-side reservation management, and in some configurations external calendar synchronization. These plugins often process names, contact details, selected dates, time slots, service requests, event information, and notification templates, while also controlling whether a date or resource can be booked. A weakness in this class of plugin can lead to sto...
UiCore Animate	Apr 28, 2026, 17:04:40	Animation and interaction plugins operate on a sensitive boundary between front-end rendering, visual builder controls, Gutenberg block behavior, Elementor widget configuration, and client-side JavaScript execution. These plugins often modify how content appears, moves, loads, transitions between pages, and reacts to scrolling or user interaction. A weakness in this class of plugin can lead to stored XSS through animation settings, unsafe rendering of visual effects, unauthorized modification of design beha...
YayMail – WooCommerce Email Customizer	Apr 28, 2026, 17:04:40	WooCommerce email customization plugins operate on a sensitive boundary between order data, customer communication, template rendering, and admin-side content editing. These plugins often process customer names, billing and shipping details, order metadata, payment-related labels, coupons, custom fields, and transactional email content. A weakness in this class of plugin can lead to stored XSS in email templates or admin previews, unauthorized modification of transactional communications, data leakage throu...

Recent vulnerability researches

Recent approved applications