| CVE/PSC | Application | Date | Affected versions | Description |
|---|---|---|---|---|
| Actual on: May 26, 2026, 17:05:25 | ||||
|
vulnerable
|
May 26, 2026, 17:05:08 |
Min -
Max 5.6.3.1
|
WP Activity Log [wp-security-audit-log] < 5.6.3.1 CVE-2026-45435 [en] Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Melapress WP Activity Log allows DOM-Based XSS. This issue affects WP Activity Log: from n/a through 5.6.3. | |
|
Unlimited Elements For Elementor (Free Widgets, Addons, Templates)
vulnerable
|
May 26, 2026, 15:05:21 |
Min -
Max 2.0.9
|
Unlimited Elements For Elementor [unlimited-elements-for-elementor] < 2.0.9 CVE-2026-48837 [en] Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Unlimited Elements For Elementor allows Blind SQL Injection. This issue affects Unlimited Elements For Elementor: from n/a through 2.0.8. | |
|
SAFE & CERTIFIED
|
May 26, 2026, 14:05:16 |
Min 6.20.1
Max 6.20.1
|
Coming soon and landing page builders sit at the intersection of front-end publishing, access control, template rendering, subscriber collection, SEO metadata, and administrator-managed design content. That makes them high-value from a marketing perspective, but also security-sensitive because builder content often becomes public HTML and mode controls can determine who can see the site. Website Builder by SeedProd version 6.20.1 has successfully completed the CleanTalk Plugin Security Certification process... | |
|
Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels
SAFE & CERTIFIED
|
May 26, 2026, 14:05:15 |
Min 7.1.1
Max 7.1.1
|
Image import plugins bridge WordPress with external media providers, proxy services, remote image URLs, metadata processing, and the local Media Library. That workflow improves publishing speed, but it also expands the attack surface around remote downloads, MIME validation, alt text and caption handling, attribution metadata, and editor integrations. Instant Images version 7.1.1 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64662, confirming that the p... | |
|
SAFE & CERTIFIED
|
May 26, 2026, 14:05:14 |
Min 4.1.9
Max 4.1.9
|
Media replacement plugins work directly with the WordPress upload directory, attachment records, file names, MIME types, and references embedded across posts and pages. That makes them operationally useful, but also security-sensitive: insufficient checks can lead to arbitrary file upload, unauthorized file overwrite, path manipulation, or integrity damage to existing content. Enable Media Replace version 4.1.9 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2... | |
|
Custom Fonts – Host Your Fonts Locally
SAFE & CERTIFIED
|
May 26, 2026, 14:05:13 |
Min 2.1.17
Max 2.1.17
|
Typography plugins appear presentation-oriented, but their core workflows involve file uploads, local asset hosting, generated CSS, editor integration, and front-end output. That combination can become security-sensitive when font files, font names, CSS rules, and generated asset paths are accepted from administrators or imported from external providers. Custom Fonts version 2.1.17 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64660, confirming that the... | |
|
SAFE & CERTIFIED
|
May 26, 2026, 14:05:12 |
Min 3.7.0
Max 3.7.0
|
Commerce integrations expand a WordPress site beyond local content management into external advertising, catalog synchronization, tracking pixels, conversion APIs, and customer communication channels. That integration layer is powerful, but it also increases exposure around tokens, product metadata, order-related events, tracking configuration, and administrator onboarding flows. Meta for WooCommerce version 3.7.0 has successfully completed the CleanTalk Plugin Security Certification process and received PS... | |
|
FluentSMTP – WP Mail SMTP, Amazon SES, SendGrid, MailGun and Any SMTP Connector Plugin
SAFE & CERTIFIED
|
May 26, 2026, 14:05:11 |
Min 2.2.95
Max 2.2.95
|
SMTP and email routing plugins hold highly sensitive operational data because they connect WordPress to external mail infrastructure, API credentials, OAuth-based providers, email logs, and resend workflows. Weak controls in this layer can expose tokens, disclose private email content, alter transactional mail routing, or allow unauthorized users to resend messages. FluentSMTP version 2.2.95 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64658, confirmin... | |
|
SAFE & CERTIFIED
|
May 26, 2026, 14:05:10 |
Min 1.7.12
Max 1.7.12
|
Login hardening plugins operate directly on WordPress authentication, administration access, CAPTCHA behavior, lockout logic, and security notifications. That position gives them defensive value, but it also creates a high-impact attack surface: weak validation or unsafe configuration handling can cause lockout bypass, administrator denial of service, sensitive path disclosure, or unauthorized modification of protection rules. SiteGuard WP Plugin version 1.7.12 has successfully completed the CleanTalk Plugi... | |
|
Click to Chat – HoliThemes
SAFE & CERTIFIED
|
May 26, 2026, 14:05:10 |
Min 4.39
Max 4.39
|
WhatsApp contact widgets are small from a user-experience perspective, but they sit on a sensitive boundary between public visitors, business communication flows, tracking, shortcodes, and administrator-controlled display rules. A misstep in this layer can turn a support button into a stored XSS vector, an unsafe redirect path, or a leakage point for contact and form data. Click to Chat – HoliThemes version 4.39 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-... | |