Vulnerabilities and Security Researches

Recent vulnerability researches
CVE/PSC	Application	Date	Affected versions	Description
			Actual on: Jun 05, 2026, 01:06:08
CVE-2026-9732	EmergencyWP – Dead Man's switch & legacy deliverance vulnerable	Jun 04, 2026, 22:06:59	Min - Max 1.4.2	The EmergencyWP – Dead Man's switch & legacy deliverance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing or incorrect nonce validation on the form_settings_ui (settings save handler, procedural include scope) function. This makes it possible for unauthenticated attackers to modify plugin settings including the minimum access role (altering WordPress role capabilities via add_cap/remove_cap), the data-erasure-on-uninstall fl...
CVE-2026-45441	Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin vulnerable	Jun 04, 2026, 22:06:25	Min - Max 5.3.4	Event Booking Manager for WooCommerce [mage-eventpress] < 5.3.4 CVE-2026-45441
CVE-2026-27351	Job Manager and Recruitment Board for Employers and Candidates – Crew HRM vulnerable	Jun 04, 2026, 21:06:20	Min - Max 1.2.3	Missing Authorization vulnerability in Sekander Badsha Crew HRM allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Crew HRM: from n/a through 1.2.2.
CVE-2026-42411	CloudSecure WP Security vulnerable	Jun 04, 2026, 19:06:13	Min - Max 1.4.8	CloudSecure WP Security [cloudsecure-wp-security] < 1.4.8 CVE-2026-42411
CVE-2026-27407	AI Engine vulnerable	Jun 04, 2026, 18:06:35	Min - Max 3.5.0	AI Engine – The Chatbot, AI Framework & MCP for WordPress [ai-engine] < 3.5.0 CVE-2026-27407
CVE-2026-9234	WooCommerce JTL-Connector vulnerable	Jun 04, 2026, 13:06:33	Min - Max 2.4.1	The JTL-Connector for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.4.1. This is due to missing capability checks and nonce verification on the admin_post_settings_save_woo-jtl-connector action (handled by JtlConnectorAdmin::save()) and on the wp_ajax_downloadJTLLogs and wp_ajax_clearJTLLogs AJAX actions (handled by the global downloadJTLLogs() and clearJTLLogs() functions). This makes it possible for authenticated attackers, with Subscriber-leve...
CVE-2026-8885	DeMomentSomTres Shortcodes vulnerable	Jun 04, 2026, 12:06:46	Min - Max 1.1.1	The DeMomentSomTres Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'callout' shortcode in all versions up to, and including, 1.1.1. This is due to insufficient input sanitization and output escaping on the 'width' and 'align' shortcode attributes within the st_callout() function, which concatenates the attribute values directly into an HTML style attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject ar...
CVE-2026-1829	Content Visibility for Divi Builder vulnerable	Jun 04, 2026, 10:06:36	Min - Max 4.02	The Content Visibility for Divi Builder plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.02 via the 'et_pb_text' shortcode 'cvdb_content_visibility_check' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
CVE-2026-27333	Paid Videochat Turnkey Site – HTML5 PPV Live Webcams vulnerable	Jun 04, 2026, 08:06:43	Min - Max 7.3.24	Paid Videochat Turnkey Site – HTML5 PPV Live Webcams [ppv-live-webcams] < 7.3.24 CVE-2026-27333
CVE-2026-49782	Elementor Website Builder – More than Just a Page Builder vulnerable	Jun 04, 2026, 06:06:37	Min - Max 4.1.1	Missing Authorization vulnerability in Elementor Elementor Website Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Elementor Website Builder: from n/a through 4.1.0.

Recent approved applications
Application	Date	Description	Details
			Actual on: Jun 05, 2026, 01:06:08
Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode	May 26, 2026, 14:05:16	Coming soon and landing page builders sit at the intersection of front-end publishing, access control, template rendering, subscriber collection, SEO metadata, and administrator-managed design content. That makes them high-value from a marketing perspective, but also security-sensitive because builder content often becomes public HTML and mode controls can determine who can see the site. Website Builder by SeedProd version 6.20.1 has successfully completed the CleanTalk Plugin Security Certification process...
Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels	May 26, 2026, 14:05:15	Image import plugins bridge WordPress with external media providers, proxy services, remote image URLs, metadata processing, and the local Media Library. That workflow improves publishing speed, but it also expands the attack surface around remote downloads, MIME validation, alt text and caption handling, attribution metadata, and editor integrations. Instant Images version 7.1.1 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64662, confirming that the p...
Enable Media Replace	May 26, 2026, 14:05:14	Media replacement plugins work directly with the WordPress upload directory, attachment records, file names, MIME types, and references embedded across posts and pages. That makes them operationally useful, but also security-sensitive: insufficient checks can lead to arbitrary file upload, unauthorized file overwrite, path manipulation, or integrity damage to existing content. Enable Media Replace version 4.1.9 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2...
Custom Fonts – Host Your Fonts Locally	May 26, 2026, 14:05:13	Typography plugins appear presentation-oriented, but their core workflows involve file uploads, local asset hosting, generated CSS, editor integration, and front-end output. That combination can become security-sensitive when font files, font names, CSS rules, and generated asset paths are accepted from administrators or imported from external providers. Custom Fonts version 2.1.17 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64660, confirming that the...
FluentSMTP – WP Mail SMTP, Amazon SES, SendGrid, MailGun and Any SMTP Connector Plugin	May 26, 2026, 14:05:11	SMTP and email routing plugins hold highly sensitive operational data because they connect WordPress to external mail infrastructure, API credentials, OAuth-based providers, email logs, and resend workflows. Weak controls in this layer can expose tokens, disclose private email content, alter transactional mail routing, or allow unauthorized users to resend messages. FluentSMTP version 2.2.95 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64658, confirmin...
SiteGuard WP Plugin	May 26, 2026, 14:05:10	Login hardening plugins operate directly on WordPress authentication, administration access, CAPTCHA behavior, lockout logic, and security notifications. That position gives them defensive value, but it also creates a high-impact attack surface: weak validation or unsafe configuration handling can cause lockout bypass, administrator denial of service, sensitive path disclosure, or unauthorized modification of protection rules. SiteGuard WP Plugin version 1.7.12 has successfully completed the CleanTalk Plugi...
Click to Chat – HoliThemes	May 26, 2026, 14:05:10	WhatsApp contact widgets are small from a user-experience perspective, but they sit on a sensitive boundary between public visitors, business communication flows, tracking, shortcodes, and administrator-controlled display rules. A misstep in this layer can turn a support button into a stored XSS vector, an unsafe redirect path, or a leakage point for contact and form data. Click to Chat – HoliThemes version 4.39 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-...
Advanced Editor Tools	May 01, 2026, 14:05:56	Editor enhancement plugins operate directly on the boundary between content creation, rich-text formatting, block editor behavior, Classic Editor compatibility, and front-end rendering. These plugins influence how authors create content, how formatting is stored, how editor settings are applied, and how HTML produced by rich-text tools eventually appears on public pages. A weakness in this class of plugin can lead to stored XSS through editor content or settings, unauthorized configuration changes, unsafe h...
Really Simple SSL	May 01, 2026, 14:05:56	Security and SSL enforcement plugins operate across some of the most sensitive trust boundaries in WordPress because they can influence HTTPS migration, redirect behavior, security headers, login protection, two-factor authentication, vulnerability detection, and site hardening controls. Weaknesses in this class of plugin can affect confidentiality, session safety, authentication integrity, administrative access control, or the reliability of security configuration across the entire site. Really Simple Secu...
WP Booking Calendar	Apr 28, 2026, 17:04:40	Booking and reservation plugins operate across a sensitive boundary between public form submission, calendar availability, customer-provided booking data, admin-side reservation management, and in some configurations external calendar synchronization. These plugins often process names, contact details, selected dates, time slots, service requests, event information, and notification templates, while also controlling whether a date or resource can be booked. A weakness in this class of plugin can lead to sto...

Recent vulnerability researches

Recent approved applications