cleantalk

Vulnerabilities and Security Researches

Recent vulnerability researches

CVE/PSC Application Date Affected versions Description
Actual on: Jul 11, 2026, 17:07:08

CVE-2026-13353

Import CSV or XML Datafeed With Ease

vulnerable

Jul 11, 2026, 20:07:44
Min -
Max 8.1
The WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.0.1 via the 'MappedFields' parameter. This is due to missing capability checks on the AJAX handlers for install_addon, saveMappedFields, and StartImport, combined with the plugin nonce being exposed to any authenticated user who can load an admin page, allowing a Subscriber to install the Import WooCommerce add-on, persist attacker-...

CVE-2026-12426

Members – Membership & User Role Editor Plugin

vulnerable

Jul 11, 2026, 20:07:18
Min -
Max 3.2.23
The Members – Membership & User Role Editor Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.22 via the members_filter_protected_posts_for_rest. This makes it possible for unauthenticated attackers to extract determine the existence and exact count of access-restricted posts, and use per-page pagination as a boolean oracle to infer keywords and content contained within those hidden restricted posts.

CVE-2026-3907

Hostel

vulnerable

Jul 11, 2026, 20:07:13
Min -
Max 1.1.8
The Hostel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wphostel-book' shortcode in all versions up to and including 1.1.7. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, the second shortcode attribute (used as button text) is passed to the `$text` variable without sanitization at line 79 and then output directly into an HTML `value` attribute at line 91 without `esc_attr()` or any other escaping. This mak...

CVE-2026-57379

Connect Form to Chat Apps with Contact Form 7 Integration – FormyChat

vulnerable

Jul 11, 2026, 19:07:12
Min -
Max 2.15.4
Contact Form to Chat Apps | Click to Chat to Order &#8211; FormyChat [social-contact-form] < 2.15.4 CVE-2026-57379

CVE-2026-11990

KiviCare &#8211; Clinic &amp; Patient Management System (EHR)

vulnerable

Jul 11, 2026, 18:07:53
Min -
Max 4.5.0
The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.4.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to mark arbitrary pending appointments as Confirmed and forge an associated completed payment record in wp_kc_payments_appointment_mappings using an attacker-supplied payment ID, bypassing payment entir...

CVE-2026-14262

Simple JWT Login &#8211; Login and Register to WordPress using JWT

vulnerable

Jul 11, 2026, 18:07:48
Min -
Max 3.6.7
The Simple JWT Login – Allows you to use JWT on REST endpoints. plugin for WordPress is vulnerable to Authentication Bypass to Privilege Escalation in all versions up to, and including, 3.6.6 via the `payload` parameter. The vulnerability exists because `AuthenticateService::generatePayload()` only overwrites JWT payload keys whose names appear in the admin-configured `jwt_payload` list — leaving any attacker-supplied identity claims such as `email`, `id`, or `username` intact and signed into the JWT with t...

CVE-2026-11992

Easy Appointments

vulnerable

Jul 11, 2026, 12:07:33
Min -
Max 3.12.28
The Easy Appointments plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.12.27. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with author-level access and above, to cancel all upcoming appointments site-wide by marking every future appointment stored by the plugin as abandoned. The nonce required to authenticate the cancellation request is printed on the Appo...

CVE-2026-11869

WP DSGVO Tools (GDPR)

vulnerable

Jul 11, 2026, 11:07:56
Min -
Max 3.1.40
The WP DSGVO Tools (GDPR) WordPress plugin before 3.1.40 does not perform an authorization check on the immediate-processing path of its data subject access request feature, allowing unauthenticated attackers to generate and download the full personal-data export (including name, postal address, phone number, email, and comment content) of any user, customer, or commenter by supplying their email address.

CVE-2026-13039

Event Manager, Events Calendar, Events Tickets for WooCommerce &#8211; Eventin

vulnerable

Jul 11, 2026, 11:07:51
Min -
Max 4.1.16
The Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) plugin for WordPress is vulnerable to authorization bypass due to a regression in versions from 4.0.26 up to and including 4.1.15. This is due to the plugin not properly verifying that a user is authorized to perform an action in the payment_complete() function of PaymentController.php. This makes it possible for unauthenticated attackers to mark unpaid ticket orders as completed by submitting a fabricated SureCart checkout ID ...

CVE-2026-12924

Event Manager, Events Calendar, Events Tickets for WooCommerce &#8211; Eventin

vulnerable

Jul 11, 2026, 11:07:51
Min -
Max 4.1.16
The Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'etn_faq_content' parameter in all versions up to, and including, 4.1.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Recent approved applications

Application Date Description Details
Actual on: Jul 11, 2026, 17:07:08

Jetpack – WP Security, Backup, Speed, & Growth

Jun 25, 2026, 16:06:39 Security and performance suites operate across many areas of a WordPress installation, including backups, malware scanning, content delivery, statistics, forms, and social publishing. That makes them operationally useful, but also security-sensitive because a broad plugin footprint can affect privileged settings, connected service tokens, public scripts, and administrator workflows. Jetpack - WP Security, Backup, Speed, and Growth version 15.9.1 has successfully completed the CleanTalk Plugin Security Certi...

Admin and Site Enhancements (ASE)

Jun 25, 2026, 16:06:39 Administrative enhancement plugins concentrate many privileged controls in one interface, including editor behavior, media tools, SMTP settings, menu changes, and site management modules. That makes them efficient for administrators, but also security-sensitive because broad settings can affect core WordPress behavior. Admin and Site Enhancements (ASE) version 8.8.5 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64673, confirming that the plugin was revi...

Really Simple CAPTCHA

Jun 25, 2026, 16:06:39 CAPTCHA helper plugins sit close to form submission flows, generated challenge files, temporary tokens, and validation results used by other plugins. That makes them useful against automated abuse, but also security-sensitive because weak file handling or predictable challenge behavior can affect public forms. Really Simple CAPTCHA version 2.4 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64669, confirming that the plugin was reviewed from a secure code...

Mailchimp for WooCommerce

Jun 25, 2026, 16:06:39 Email marketing integrations process order activity, customer profiles, product metadata, cart events, and API credentials. That makes them useful for store communication, but also security-sensitive because customer related data moves between WooCommerce and an external marketing platform. Mailchimp for WooCommerce version 6.1.1 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64671, confirming that the plugin was reviewed from a secure code perspective w...

Font Awesome

Jun 25, 2026, 16:06:39 Icon plugins affect the editor, public markup, scripts, styles, and sometimes external kit configuration. That makes them convenient for visual design, but also security-sensitive because stored icon settings and asset URLs can become part of the public HTML served to visitors. Font Awesome version 5.1.5 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64668, confirming that the plugin was reviewed from a secure code perspective with attention to common ex...

Pinterest for WooCommerce

Jun 25, 2026, 16:06:39 Commerce marketing integrations handle product data, tracking events, connected account settings, and background synchronization. That makes them valuable for store growth, but also security-sensitive because merchant configuration and catalog data can affect both customer privacy and public product visibility. Pinterest for WooCommerce version 1.4.27 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64670, confirming that the plugin was reviewed from a sec...

Facebook Chat Plugin &#8211; Live Chat Plugin for WordPress

Jun 25, 2026, 16:06:39 Live chat plugins add third-party scripts, public widgets, and administrator managed page identifiers to WordPress pages. That makes them useful for customer communication, but also security-sensitive because stored settings are rendered to visitors and external script behavior becomes part of the public site surface. Facebook Chat Plugin - Live Chat Plugin for WordPress version 2.5 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64667, confirming that th...

Page Optimize

Jun 25, 2026, 16:06:39 Page optimization plugins change how scripts, styles, and front-end resources are loaded. That makes them useful for performance, but also security-sensitive because optimized output becomes part of every public page and can affect forms, commerce, analytics, and security controls. Page Optimize version 0.6.3 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64674, confirming that the plugin was reviewed from a secure code perspective with attention to comm...

Advanced Google reCAPTCHA

Jun 25, 2026, 16:06:39 Anti-spam plugins protect login, registration, comment, and public form paths. That makes them useful against automated abuse, but also security-sensitive because enforcement failures can leave high-value endpoints exposed or block legitimate visitors from expected workflows. Advanced Google reCAPTCHA version 5.39 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64672, confirming that the plugin was reviewed from a secure code perspective with attention to...

Instant Images &#8211; One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels

May 26, 2026, 14:05:15 Image import plugins bridge WordPress with external media providers, proxy services, remote image URLs, metadata processing, and the local Media Library. That workflow improves publishing speed, but it also expands the attack surface around remote downloads, MIME validation, alt text and caption handling, attribution metadata, and editor integrations. Instant Images version 7.1.1 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64662, confirming that the p...