Vulnerabilities and Security Researches

Recent vulnerability researches
CVE/PSC	Application	Date	Affected versions	Description
			Actual on: Jun 23, 2026, 07:06:35
CVE-2022-50972	WooCommerce vulnerable	Jun 22, 2026, 15:06:26	Min - Max 7.1.0	WooCommerce 7.1.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary PHP code by injecting shell commands through the product-type parameter. Attackers can send requests to the class-wc-meta-box-product-images.php endpoint with unsanitized product-type values to write malicious PHP files to the web root.
CVE-2026-11911	Simple File List vulnerable	Jun 21, 2026, 16:06:06	Min - Max 6.3.8	The Simple File List plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the eeSFL_DeleteFile function in all versions up to, and including, 6.3.7. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The simplefilelist_edit_job AJAX action is registered via wp_ajax_nopriv_, making it accessible without authentic...
CVE-2026-12119	Simple File List vulnerable	Jun 21, 2026, 16:06:06	Min - Max 6.3.8	The Simple File List plugin for WordPress is vulnerable to unauthorized file operations due to a missing authorization check on the 'frontmanage' shortcode attribute in all versions up to, and including, 6.3.7. This makes it possible for authenticated attackers, with contributor-level access and above, to perform arbitrary file operations including deletion, move, folder creation, and download. An attacker can create a draft post containing the 'eeSFL' shortcode, render it via the post preview endpoint to h...
CVE-2026-11912	Simple File List vulnerable	Jun 21, 2026, 16:06:06	Min - Max 6.3.8	The Simple File List plugin for WordPress is vulnerable to arbitrary file modification due to insufficient authorization checks in all versions up to, and including, 6.3.7. This makes it possible for unauthenticated attackers to delete and modify files on the serve. This vulnerability is exploitable even when the administrator has not enabled the AllowFrontManage setting, because the is_admin() check unconditionally short-circuits the guard before that setting is evaluated.
CVE-2026-9822	WP Hotel Booking vulnerable	Jun 21, 2026, 13:06:55	Min - Max 2.3.1	The WP Hotel Booking WordPress plugin before 2.3.1 does not enforce capability checks in several of its AJAX handlers, allowing authenticated users with Subscriber-level access to read other users' booking line items, enumerate active coupons, and read pricing data.
CVE-2026-11551	Branda – White Label WordPress, Custom Login Page Customizer vulnerable	Jun 21, 2026, 13:06:41	Min - Max 3.4.31	The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.29. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
CVE-2026-10779	Classified Listing – Classified ads & Business Directory Plugin vulnerable	Jun 21, 2026, 01:06:14	Min - Max 5.4.3	The Classified Listing – Classified ads & Business Directory plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.4.2. This is due to a missing capability/ownership check on the gallery_image_update_as_feature AJAX handler (action: rtcl_fb_gallery_image_update_as_feature), which accepts a user-supplied listing ID and attachment ID and sets the featured image of a listing while only validating a nonce that is exposed to any logged-in user on the frontend listing...
CVE-2026-56024	WP EasyPay – Square for WordPress vulnerable	Jun 20, 2026, 23:06:34	Min - Max 4.4.0	Cross-Site Request Forgery (CSRF) vulnerability in Saad Iqbal WP EasyPay allows Cross Site Request Forgery. This issue affects WP EasyPay: from n/a through 4.4.0.
CVE-2026-9843	Database for Contact Form 7, WPforms, Elementor forms vulnerable	Jun 20, 2026, 19:06:27	Min - Max 1.5.2	The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the view_page function in all versions up to, and including, 1.5.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Successful exploitation requires an administrator to view or edit the poisoned form...
CVE-2026-12238	WP Go Maps (formerly WP Google Maps) vulnerable	Jun 20, 2026, 17:06:24	Min - Max 10.1.02	The WP Go Maps – Most Popular Map Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 10.1.01. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to create arbitrary records in plugin database tables (maps, markers, circles, polygons, polylines, rectangles, and point labels) by supplying a WPGMZA-namespaced CRUD-backed class name via the phpClass parameter. T...

Recent approved applications
Application	Date	Description	Details
			Actual on: Jun 23, 2026, 07:06:35
Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode	May 26, 2026, 14:05:16	Coming soon and landing page builders sit at the intersection of front-end publishing, access control, template rendering, subscriber collection, SEO metadata, and administrator-managed design content. That makes them high-value from a marketing perspective, but also security-sensitive because builder content often becomes public HTML and mode controls can determine who can see the site. Website Builder by SeedProd version 6.20.1 has successfully completed the CleanTalk Plugin Security Certification process...
Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels	May 26, 2026, 14:05:15	Image import plugins bridge WordPress with external media providers, proxy services, remote image URLs, metadata processing, and the local Media Library. That workflow improves publishing speed, but it also expands the attack surface around remote downloads, MIME validation, alt text and caption handling, attribution metadata, and editor integrations. Instant Images version 7.1.1 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64662, confirming that the p...
Custom Fonts – Host Your Fonts Locally	May 26, 2026, 14:05:13	Typography plugins appear presentation-oriented, but their core workflows involve file uploads, local asset hosting, generated CSS, editor integration, and front-end output. That combination can become security-sensitive when font files, font names, CSS rules, and generated asset paths are accepted from administrators or imported from external providers. Custom Fonts version 2.1.17 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64660, confirming that the...
FluentSMTP – WP Mail SMTP, Amazon SES, SendGrid, MailGun and Any SMTP Connector Plugin	May 26, 2026, 14:05:11	SMTP and email routing plugins hold highly sensitive operational data because they connect WordPress to external mail infrastructure, API credentials, OAuth-based providers, email logs, and resend workflows. Weak controls in this layer can expose tokens, disclose private email content, alter transactional mail routing, or allow unauthorized users to resend messages. FluentSMTP version 2.2.95 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64658, confirmin...
SiteGuard WP Plugin	May 26, 2026, 14:05:10	Login hardening plugins operate directly on WordPress authentication, administration access, CAPTCHA behavior, lockout logic, and security notifications. That position gives them defensive value, but it also creates a high-impact attack surface: weak validation or unsafe configuration handling can cause lockout bypass, administrator denial of service, sensitive path disclosure, or unauthorized modification of protection rules. SiteGuard WP Plugin version 1.7.12 has successfully completed the CleanTalk Plugi...
Advanced Editor Tools	May 01, 2026, 14:05:56	Editor enhancement plugins operate directly on the boundary between content creation, rich-text formatting, block editor behavior, Classic Editor compatibility, and front-end rendering. These plugins influence how authors create content, how formatting is stored, how editor settings are applied, and how HTML produced by rich-text tools eventually appears on public pages. A weakness in this class of plugin can lead to stored XSS through editor content or settings, unauthorized configuration changes, unsafe h...
Really Simple SSL	May 01, 2026, 14:05:56	Security and SSL enforcement plugins operate across some of the most sensitive trust boundaries in WordPress because they can influence HTTPS migration, redirect behavior, security headers, login protection, two-factor authentication, vulnerability detection, and site hardening controls. Weaknesses in this class of plugin can affect confidentiality, session safety, authentication integrity, administrative access control, or the reliability of security configuration across the entire site. Really Simple Secu...
WP Booking Calendar	Apr 28, 2026, 17:04:40	Booking and reservation plugins operate across a sensitive boundary between public form submission, calendar availability, customer-provided booking data, admin-side reservation management, and in some configurations external calendar synchronization. These plugins often process names, contact details, selected dates, time slots, service requests, event information, and notification templates, while also controlling whether a date or resource can be booked. A weakness in this class of plugin can lead to sto...
UiCore Animate	Apr 28, 2026, 17:04:40	Animation and interaction plugins operate on a sensitive boundary between front-end rendering, visual builder controls, Gutenberg block behavior, Elementor widget configuration, and client-side JavaScript execution. These plugins often modify how content appears, moves, loads, transitions between pages, and reacts to scrolling or user interaction. A weakness in this class of plugin can lead to stored XSS through animation settings, unsafe rendering of visual effects, unauthorized modification of design beha...
YayMail – WooCommerce Email Customizer	Apr 28, 2026, 17:04:40	WooCommerce email customization plugins operate on a sensitive boundary between order data, customer communication, template rendering, and admin-side content editing. These plugins often process customer names, billing and shipping details, order metadata, payment-related labels, coupons, custom fields, and transactional email content. A weakness in this class of plugin can lead to stored XSS in email templates or admin previews, unauthorized modification of transactional communications, data leakage throu...

Recent vulnerability researches

Recent approved applications