Vulnerabilities and Security Researches

Recent vulnerability researches
CVE/PSC	Application	Date	Affected versions	Description
			Actual on: Jan 29, 2026, 05:01:39
CVE-2025-68881	APPExperts – Mobile App Builder for WordPress \| WooCommerce to iOS and Android Apps vulnerable	Jan 28, 2026, 05:01:45	Min - Max 1.4.5	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saad Iqbal AppExperts appexperts allows SQL Injection.This issue affects AppExperts: from n/a through <= 1.4.5.
CVE-2025-68979	Simple Calendar – Google Calendar Plugin vulnerable	Jan 28, 2026, 05:01:44	Min - Max 3.5.9	Authorization Bypass Through User-Controlled Key vulnerability in SimpleCalendar Google Calendar Events google-calendar-events allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Google Calendar Events: from n/a through <= 3.5.9.
CVE-2025-14901	Contact Form Builder Plugin: Multi Step Contact Form, Payment Form, Custom Contact Form Plugin by Bit Form vulnerable	Jan 28, 2026, 05:01:43	Min - Max 2.21.7	The Bit Form – Contact Form Plugin plugin for WordPress is vulnerable to unauthorized workflow execution due to missing authorization in the triggerWorkFlow function in all versions up to, and including, 2.21.6. This is due to a logic flaw in the nonce verification where the security check only blocks requests when both the nonce verification fails and the user is logged in. This makes it possible for unauthenticated attackers to replay form workflow executions and trigger all configured integrations includ...
CVE-2026-22482	IMGspider – 图片采集抓取插件 vulnerable	Jan 28, 2026, 05:01:42	Min - Max 2.3.12	Server-Side Request Forgery (SSRF) vulnerability in wbolt.com IMGspider imgspider allows Server Side Request Forgery.This issue affects IMGspider: from n/a through <= 2.3.12.
CVE-2025-15380	NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor vulnerable	Jan 28, 2026, 05:01:41	Min - Max 3.2.1	The NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via the 'nx-preview' POST parameter in all versions up to, and including, 3.2.0. This is due to insufficient input sanitization and output escaping when processing preview data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute when a user vi...
CVE-2025-13498	Download Manager vulnerable	Jan 28, 2026, 05:01:40	Min - Max 3.3.33	The Download Manager plugin for WordPress is vulnerable to unauthorized access of sensitive information in all versions up to, and including, 3.3.32. This is due to missing authorization and capability checks on the `wpdm_media_access` AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve passwords and access control settings for protected media attachments, which can then be used to bypass the intended media protection and download restricted f...
CVE-2025-15364	Download Manager vulnerable	Jan 28, 2026, 05:01:40	Min - Max 3.3.41	The Download Manager plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3.40. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change user's passwords, except administrators, and leverage that to gain access to their account.
CVE-2025-68497	Astra Widgets vulnerable	Jan 28, 2026, 05:01:37	Min - Max 1.2.16	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force Astra Widgets astra-widgets allows Stored XSS.This issue affects Astra Widgets: from n/a through <= 1.2.16.
CVE-2026-22445	Apimo connector vulnerable	Jan 28, 2026, 05:01:32	Min - Max 2.6.4	Missing Authorization vulnerability in Proptech Plugin Apimo Connector apimo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Apimo Connector: from n/a through <= 2.6.4.
CVE-2025-14973	Recipe Card Blocks for Gutenberg & Elementor – Best WordPress Recipe Plugin vulnerable	Jan 28, 2026, 05:01:30	Min - Max 3.4.13	The Recipe Card Blocks Lite WordPress plugin before 3.4.13 does not sanitize and escape a parameter before using it in a SQL statement, allowing contributors and above to perform SQL injection attacks.

Recent approved applications
Application	Date	Description	Details
			Actual on: Jan 29, 2026, 05:01:39
WP Multibyte Patch	Jan 16, 2026, 16:01:44	WP Multibyte Patch v2.9.3 has successfully passed the CleanTalk Plugin Security Certification (PSC-2025-64598). This certification confirms that the plugin’s codebase was reviewed and validated against a broad range of high-impact vulnerability classes, ensuring it can be used confidently in production environments.
Redis Object Cache	Sep 17, 2025, 11:09:45	Redis Object Cache 2.6.5 is a persistent object cache backend powered by Redis, designed to enhance WordPress performance and scalability. It supports multiple PHP clients such as Predis, PhpRedis (PECL), and Relay, while offering advanced features like replication, sentinels, clustering, and seamless WP-CLI integration. Administrators can configure connection parameters, customize key prefixes, and set up replication or clustering to ensure optimal performance and reliability. For enterprise environments...
PDF Embedder	Sep 11, 2025, 11:09:45	PDF Embedder is a powerful WordPress plugin that allows you to upload and embed PDF files directly into posts and pages, offering seamless document presentation with responsive design. Unlike other plugins that rely on iframes, PDF Embedder uses a unique JavaScript-based rendering method that gives site administrators complete control over the look, sizing, and navigation of embedded PDFs. The plugin ensures that all PDF files and associated scripts are served from your own server, guaranteeing both faster...
Category Order and Taxonomy Terms Order	Sep 08, 2025, 11:09:45	Category Order and Taxonomy Terms Order is a lightweight yet powerful WordPress plugin that enables administrators to reorder categories and custom taxonomy terms with a drag-and-drop interface. Developed by Nsp-Code, this plugin enhances site structure and usability without requiring theme or plugin modifications. While primarily a tool for content organization, it also interacts directly with queries and the WordPress admin environment—areas where poorly implemented code could create vulnerabilities. Tha...
Meta pixel for WordPress	Sep 05, 2025, 10:09:48	Meta Pixel for WordPress is a lightweight and powerful plugin that allows website owners to easily integrate the Meta Pixel (formerly Facebook Pixel) into their WordPress site. With this plugin, site administrators can track critical events such as Lead, ViewContent, AddToCart, InitiateCheckout, and Purchase, while also leveraging the Conversions API for more reliable data collection. By combining the Pixel with the Conversions API, businesses can establish a direct, server-to-server connection with Meta s...
WP-PageNavi	Sep 05, 2025, 10:09:44	WP-PageNavi is one of the most widely used plugins for adding advanced paging navigation to WordPress. Instead of the basic “Older posts \| Newer posts” links, it provides a more user-friendly and customizable pagination interface that improves navigation across archives, blogs, and multipage posts. With a long-standing reputation for reliability, WP-PageNavi is trusted by thousands of site owners to enhance usability. Now, with the Plugin Security Certification (PSC-2025-64594) by CleanTalk, WP-PageNavi ha...
Redux Framework	Aug 28, 2025, 11:08:45	The Redux Framework has long been the go-to options framework for WordPress developers. It provides an extensible, fully responsive environment for building option panels, customizer controls, and advanced UI fields for themes and plugins. By saving developers months of work, Redux accelerates innovation while maintaining a clean, standards-based architecture. With the release of version 4.5.7, Redux Framework has officially achieved the Plugin Security Certification (PSC-2025-64592) by CleanTalk, confirmi...
GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent)	Aug 26, 2025, 10:08:33	Ensuring compliance with GDPR, CCPA, DSGVO, and other global privacy regulations is critical for every WordPress-powered website. The GDPR Cookie Compliance plugin (v5.0.9) provides an all-in-one solution for cookie consent management, offering flexibility, transparency, and full compliance with international data protection laws. With its latest achievement, the plugin has been awarded the Plugin Security Certification (PSC-2025-64591) by CleanTalk, guaranteeing that its codebase is secure, hardened, and ...
WP Activity Log	Aug 21, 2025, 21:08:55	WP Activity Log is a powerful WordPress plugin designed to provide detailed, real-time logging of all activities across your WordPress sites and multisite networks. From user login attempts to changes in posts, plugins, themes, and settings, this plugin gives administrators full visibility into everything that happens on their websites. With its granular event tracking, WP Activity Log helps site owners improve security, accountability, compliance, and troubleshooting. Administrators can detect suspicious ...
Superb Addons – WordPress Editor Blocks & Patterns and Elementor Sections & Elements	Aug 21, 2025, 13:08:55	Now, with its successful completion of the Plugin Security Certification (PSC-2025-64588) by CleanTalk, Superb Addons not only delivers cutting-edge features but also guarantees code-level security and reliability. This certification proves that the plugin has been rigorously tested against the most common and dangerous vulnerabilities in the WordPress ecosystem.

Recent vulnerability researches

Recent approved applications