Vulnerabilities and Security Researches

Recent vulnerability researches
CVE/PSC	Application	Date	Affected versions	Description
			Actual on: May 04, 2025, 04:05:56
CVE-2024-12023	FULL – Cliente vulnerable	May 04, 2025, 09:05:29	Min 3.1.5 Max 3.1.25	The FULL – Cliente plugin for WordPress is vulnerable to SQL Injection via the 'formId' parameter in all versions 3.1.5 to 3.1.25 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is only exploitable when the P...
CVE-2025-4179	Flynax Bridge vulnerable	May 04, 2025, 09:05:19	Min - Max 2.2.0	The Flynax Bridge plugin for WordPress is vulnerable to limited Privilege Escalation due to a missing capability check on the registerUser() function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to register new user accounts as authors.
CVE-2025-4177	Flynax Bridge vulnerable	May 04, 2025, 09:05:19	Min - Max 2.2.0	The Flynax Bridge plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deleteUser() function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to delete arbitrary users.
CVE-2025-4170	Xavin's Review Ratings vulnerable	May 04, 2025, 08:05:12	Min - Max 1.4.0	The Xavin's Review Ratings plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'xrr' shortcode in all versions up to, and including, 1.4.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-13381	Calculated Fields Form vulnerable	May 03, 2025, 20:05:51	Min - Max 5.2.62	The Calculated Fields Form WordPress plugin before 5.2.62 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
CVE-2025-3670	KiwiChat NextClient vulnerable	May 03, 2025, 08:05:36	Min - Max 6.2	The KiwiChat NextClient plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-27007	SureTriggers – Connect All Your Plugins, Apps, Tools & Automate Everything! vulnerable	May 03, 2025, 06:05:09	Min - Max 1.0.83	Incorrect Privilege Assignment vulnerability in Brainstorm Force SureTriggers allows Privilege Escalation.This issue affects SureTriggers: from n/a through 1.0.82.
CVE-2025-3748	Taxonomy Chain Menu vulnerable	May 03, 2025, 03:05:49	Min - Max 2.0.9	The Taxonomy Chain Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's pn_chain_menu shortcode in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-3752	Able Player, accessible HTML5 media player vulnerable	May 02, 2025, 09:05:25	Min - Max 1.2.2	The Able Player, accessible HTML5 media player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘preload’ parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-3953	WP Statistics vulnerable	May 01, 2025, 10:05:59	Min - Max 14.13.4	The WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'optionUpdater' function in all versions up to, and including, 14.13.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary plugin settings.

Recent approved applications
Application	Date	Description	Details
			Actual on: May 04, 2025, 04:05:56
Simple Custom CSS and JS	Apr 25, 2025, 00:04:55	<p>Customize your WordPress site’s appearance by easily adding custom CSS and JS code without even having to modify your theme or plugin files. This is perfect for adding custom CSS tweaks to your site.</p> <h4>Features</h4> <ul> <li><strong>Text editor</strong> with syntax highlighting </li> <li>Print the code <strong>inline</strong> or included into an <strong>external file</strong></li> <li>Print the code in the <strong>header</strong> or the <strong>footer</strong></li> <li>Add CSS or JS to the <s...
WooCommerce Shipping & Tax	Apr 21, 2025, 19:04:49	<p>WooCommerce Shipping & Tax makes basic eCommerce features like shipping more reliable by taking the burden off of your site’s infrastructure.</p> <p>With WooCommerce Shipping & Tax, critical services are hosted on Automattic’s best-in-class infrastructure, rather than relying on your store’s hosting. That means your store will be more stable and faster.<br /> To use the features, simply install this plugin and activate the ones you want directly in your dashboard. As we add more services, you’ll ...
Flamingo	Apr 16, 2025, 10:04:34	<p>Flamingo is a message storage plugin originally created for <a href="https://wordpress.org/plugins/contact-form-7/" rel="ugc">Contact Form 7</a>, which doesn’t store submitted messages.</p> <p>After activation of the plugin, you’ll find <em>Flamingo</em> on the WordPress admin screen menu. All messages through contact forms are listed there and are searchable. With Flamingo, you are no longer need to worry about losing important messages due to mail server issues or misconfiguration in mail s...
Autoptimize	Apr 15, 2025, 17:04:47	<p>Autoptimize makes optimizing your site really easy. It can aggregate, minify and cache scripts and styles, injects CSS in the page head by default but can also inline critical CSS and defer the aggregated full CSS, moves and defers scripts to the footer and minifies HTML. You can optimize and lazy-load images (with support for WebP and AVIF formats), optimize Google Fonts, async non-aggregated JavaScript, remove WordPress core emoji cruft and more. As such it can improve your site’s performance eve...
Disable Comments – Remove Comments & Stop Spam [Multi-Site Support]	Mar 12, 2025, 18:03:32	<h4>Disable Comments – Remove Comments & Stop Spam [Multi-Site Support]</h4> <p>Instantly allow or disallow comments from any post type in WordPress (Pages, Posts, or Media) to stop the spammers and gain complete control over your full website. WP-CLI Support & Control comments via XML-RPC and REST-API too!</p> <p><a href="https://wpdeveloper.com/plugins/disable-comments/" rel="nofollow ugc">More About Plugin</a> ◼️ <a href="https://wpdeveloper.com/docs-category/disable-comments/" rel="nofollo...
W3 Total Cache	Mar 12, 2025, 18:03:31	<p>W3 Total Cache (W3TC) improves the SEO, Core Web Vitals and overall user experience of your site by increasing website performance and reducing load times by leveraging features like content delivery network (CDN) integration and the latest best practices.</p> <p>W3TC is the <strong>only</strong> web host agnostic Web Performance Optimization (WPO) framework for WordPress trusted by millions of publishers, web developers, and web hosts worldwide for more than a decade. It is the total performance solutio...
Maintenance	Feb 26, 2025, 18:02:05	<p>Maintenance plugin allows the WordPress site administrator to close the website for maintenance, enable “503 Service temporarily unavailable”, set a temporary page with authorization, which can be edited via the plugin settings. Easy customize the good look on all devices. Add your logo, background image, select the desired color, add text. Maintenance uses Bunny Fonts for EU GDPR compliance.</p> <p>Need <strong>pre-made themes</strong> and over 3 million free images to build maintenance, coming so...
Sucuri Security – Auditing, Malware Scanner and Security Hardening	Feb 24, 2025, 15:02:56	<p>Sucuri Inc. is a globally recognized authority in all matters related to website security, with specialization in WordPress Security.</p> <p>The Sucuri Security WordPress plugin is free to all WordPress users. It is a security suite meant to complement your existing security posture. Currently the ownership of this plugin was transferred to GoDaddy.<br /> It offers its users a set of security features for their website, each designed to have a positive effect on their security posture:</p> <ul> <li>Secur...
CookieYes – Cookie Banner for Cookie Consent (Easy to setup GDPR/CCPA Compliant Cookie Notice)	Feb 17, 2025, 21:02:02	<p>The CookieYes GDPR Cookie Consent plugin simplifies GDPR (RGPD, DSVGO) compliance by seamlessly integrating a cookie banner into your website.</p> <p>Additionally, it offers support for various global privacy regulations, including LGPD (Brazil), CNIL (France), PIPEDA (Canada), Law 25 (Quebec), POPIA (South Africa), nFADP (Switzerland), Privacy Act (Australia), PDPL (Saudi Arabia), PDPL (Argentina), PDPL (Andorra), DPA (Faroe Islands), and the California Consumer Privacy Act (CCPA/CPRA). It’s also ...
Safe SVG	Feb 17, 2025, 20:02:32	<p>Safe SVG is the best way to Allow SVG Uploads in WordPress!</p> <p>It gives you the ability to allow SVG uploads whilst making sure that they’re sanitized to stop SVG/XML vulnerabilities affecting your site. It also gives you the ability to preview your uploaded SVGs in the media library in all views.</p> <h4>Current Features</h4> <ul> <li><strong>Sanitised SVGs</strong> – Don’t open up security holes in your WordPress site by allowing uploads of unsanitised files.</li> <li><strong>SVG...

Recent vulnerability researches

Recent approved applications