Vulnerabilities and Security Researches

Recent vulnerability researches
CVE/PSC	Application	Date	Affected versions	Description
			Actual on: Jun 29, 2026, 17:06:34
CVE-2026-56061	Subscriptions for WooCommerce – Subscription Plugin for Collecting Recurring Revenue, Sell Membership Subscription Servic vulnerable	Jun 29, 2026, 21:06:50	Min - Max 1.9.6	Unauthenticated Broken Access Control in Subscriptions for WooCommerce <= 1.9.5 versions.
CVE-2026-57628	Import any XML or CSV File to WordPress vulnerable	Jun 29, 2026, 21:06:23	Min - Max 4.1.0	Administrator SQL Injection in WP All Import <= 4.0.1 versions.
CVE-2026-3462	Official Billwerk+ Payments Gateway vulnerable	Jun 29, 2026, 21:06:12	Min - Max 1.8.10	The Frisbii Pay plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'upload_csv' and 'process_batch' functions in all versions up to, and including, 1.8.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary CSV data and overwrite WooCommerce payment tokens, postmeta, and order meta records.
CVE-2026-56038	Official Billwerk+ Payments Gateway vulnerable	Jun 29, 2026, 21:06:12	Min - Max 1.8.2.1	Contributor Privilege Escalation in Frisbii Pay <= 1.8.2 versions.
CVE-2026-10820	Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress vulnerable	Jun 29, 2026, 20:06:21	Min - Max 4.16.17	The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.16.17 does not verify that the user performing a subscription action owns the targeted subscription, allowing any authenticated user (Subscriber+) to cancel other users' active subscriptions via an Insecure Direct Object Reference.
CVE-2026-13295	Page Builder by SiteOrigin vulnerable	Jun 29, 2026, 20:06:11	Min - Max 2.34.4	The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via panels_data Parameter in all versions up to, and including, 2.34.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is possible because the nonce and edit_post capability checks enforced during save a...
CVE-2026-11356	Ivory Search – WordPress Search Plugin vulnerable	Jun 29, 2026, 19:06:07	Min - Max 5.5.16	The Ivory Search – WordPress Search Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'menu_title' and 'menu_magnifier_color' Settings in all versions up to, and including, 5.5.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-57317	Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin vulnerable	Jun 29, 2026, 18:06:53	Min - Max 1.6.12.4	Unauthenticated Cross Site Scripting (XSS) in Simply Schedule Appointments <= 1.6.12.2 versions.
CVE-2026-56052	Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One vulnerable	Jun 26, 2026, 20:06:45	Min - Max 3.15.0.6	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in FunnelKit Funnel Builder by FunnelKit allows Blind SQL Injection. This issue affects Funnel Builder by FunnelKit: from n/a through 3.15.0.5.
CVE-2026-9710	Cornerstone vulnerable	Jun 26, 2026, 14:06:04	Min - Max 7.8.8	The Cornerstone WordPress plugin before 7.8.8 does not enforce capability checks on one of its CSS-preview request handlers, and exposes the nonce needed to call it to every logged-in user on any wp-admin page, allowing any authenticated user to evaluate dynamic content tokens against arbitrary users and disclose their sensitive metadata including raw password hashes. This affects the premium co Cornerstone page builder distributed bundled with the X , not the unrelated free `cornerstone` Cornerstone WordPr...

Recent approved applications
Application	Date	Description	Details
			Actual on: Jun 29, 2026, 17:06:34
Jetpack – WP Security, Backup, Speed, & Growth	Jun 25, 2026, 16:06:39	Security and performance suites operate across many areas of a WordPress installation, including backups, malware scanning, content delivery, statistics, forms, and social publishing. That makes them operationally useful, but also security-sensitive because a broad plugin footprint can affect privileged settings, connected service tokens, public scripts, and administrator workflows. Jetpack - WP Security, Backup, Speed, and Growth version 15.9.1 has successfully completed the CleanTalk Plugin Security Certi...
Admin and Site Enhancements (ASE)	Jun 25, 2026, 16:06:39	Administrative enhancement plugins concentrate many privileged controls in one interface, including editor behavior, media tools, SMTP settings, menu changes, and site management modules. That makes them efficient for administrators, but also security-sensitive because broad settings can affect core WordPress behavior. Admin and Site Enhancements (ASE) version 8.8.5 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64673, confirming that the plugin was revi...
Really Simple CAPTCHA	Jun 25, 2026, 16:06:39	CAPTCHA helper plugins sit close to form submission flows, generated challenge files, temporary tokens, and validation results used by other plugins. That makes them useful against automated abuse, but also security-sensitive because weak file handling or predictable challenge behavior can affect public forms. Really Simple CAPTCHA version 2.4 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64669, confirming that the plugin was reviewed from a secure code...
Mailchimp for WooCommerce	Jun 25, 2026, 16:06:39	Email marketing integrations process order activity, customer profiles, product metadata, cart events, and API credentials. That makes them useful for store communication, but also security-sensitive because customer related data moves between WooCommerce and an external marketing platform. Mailchimp for WooCommerce version 6.1.1 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64671, confirming that the plugin was reviewed from a secure code perspective w...
Font Awesome	Jun 25, 2026, 16:06:39	Icon plugins affect the editor, public markup, scripts, styles, and sometimes external kit configuration. That makes them convenient for visual design, but also security-sensitive because stored icon settings and asset URLs can become part of the public HTML served to visitors. Font Awesome version 5.1.5 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64668, confirming that the plugin was reviewed from a secure code perspective with attention to common ex...
Pinterest for WooCommerce	Jun 25, 2026, 16:06:39	Commerce marketing integrations handle product data, tracking events, connected account settings, and background synchronization. That makes them valuable for store growth, but also security-sensitive because merchant configuration and catalog data can affect both customer privacy and public product visibility. Pinterest for WooCommerce version 1.4.27 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64670, confirming that the plugin was reviewed from a sec...
Facebook Chat Plugin – Live Chat Plugin for WordPress	Jun 25, 2026, 16:06:39	Live chat plugins add third-party scripts, public widgets, and administrator managed page identifiers to WordPress pages. That makes them useful for customer communication, but also security-sensitive because stored settings are rendered to visitors and external script behavior becomes part of the public site surface. Facebook Chat Plugin - Live Chat Plugin for WordPress version 2.5 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64667, confirming that th...
Page Optimize	Jun 25, 2026, 16:06:39	Page optimization plugins change how scripts, styles, and front-end resources are loaded. That makes them useful for performance, but also security-sensitive because optimized output becomes part of every public page and can affect forms, commerce, analytics, and security controls. Page Optimize version 0.6.3 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64674, confirming that the plugin was reviewed from a secure code perspective with attention to comm...
Image Optimizer by Elementor – Compress, Resize and Optimize Images	Jun 25, 2026, 16:06:39	Image optimization plugins work directly with uploaded media, generated derivatives, file names, MIME types, and background processing jobs. That makes them useful for performance, but also security-sensitive because unsafe media handling can lead to path manipulation, unauthorized file access, broken public assets, or exposure of media metadata. Image Optimizer - Optimize Images and Convert to WebP or AVIF version 1.7.5 has successfully completed the CleanTalk Plugin Security Certification process and rece...
Advanced Google reCAPTCHA	Jun 25, 2026, 16:06:39	Anti-spam plugins protect login, registration, comment, and public form paths. That makes them useful against automated abuse, but also security-sensitive because enforcement failures can leave high-value endpoints exposed or block legitimate visitors from expected workflows. Advanced Google reCAPTCHA version 5.39 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64672, confirming that the plugin was reviewed from a secure code perspective with attention to...

Recent vulnerability researches

Recent approved applications