cleantalk

Vulnerabilities and Security Researches

Recent vulnerability researches

CVE/PSC Application Date Affected versions Description
Actual on: May 24, 2025, 23:05:41

CVE-2025-4223

Page Builder: Pagelayer – Drag and Drop website builder

vulnerable

May 25, 2025, 03:05:57
Min -
Max 2.0.1
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘login_url’ parameter in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. A valid username/password pair needs to be supplie...

CVE-2024-13427

Page Builder: Pagelayer – Drag and Drop website builder

vulnerable

May 25, 2025, 03:05:57
Min -
Max 2.0.1
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Button widget in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was...

CVE-2025-47672

miniOrange Discord Integration

vulnerable

May 25, 2025, 01:05:30
Min -
Max 2.2.2
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in miniOrange miniOrange Discord Integration allows PHP Local File Inclusion. This issue affects miniOrange Discord Integration: from n/a through 2.2.2.

CVE-2025-3869

4stats

vulnerable

May 24, 2025, 22:05:33
Min -
Max 2.0.9
The 4stats plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.9. This is due to missing or incorrect nonce validation on the stats/stats.php page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2025-48241

Verge3D Publishing and E-Commerce

vulnerable

May 24, 2025, 20:05:58
Min -
Max 4.9.3
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Soft8Soft LLC Verge3D allows Reflected XSS. This issue affects Verge3D: from n/a through 4.9.3.

CVE-2025-47637

Staggs – Product configurator for WooCommerce

vulnerable

May 24, 2025, 18:05:47
Min -
Max 2.11.0
Unrestricted Upload of File with Dangerous Type vulnerability in STAGGS STAGGS allows Upload a Web Shell to a Web Server. This issue affects STAGGS: from n/a through 2.11.0.

CVE-2025-48251

Additional Custom Emails for WooCommerce

vulnerable

May 24, 2025, 07:05:53
Min -
Max 3.5.2
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Additional Custom Emails & Recipients for WooCommerce allows Stored XSS. This issue affects Additional Custom Emails & Recipients for WooCommerce: from n/a through 3.5.1.

CVE-2025-1123

WP SMTP

vulnerable

May 24, 2025, 07:05:39
Min -
Max 2.1.6
The Solid Mail – SMTP email and logging made by SolidWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email Name, Subject, and Body in all versions up to, and including, 2.1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2025-48268

Bot for Telegram on WooCommerce

vulnerable

May 24, 2025, 01:05:31
Min -
Max 1.2.7
Missing Authorization vulnerability in Guru Team Bot for Telegram on WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Bot for Telegram on WooCommerce: from n/a through 1.2.6.

CVE-2025-48235

WP Image Mask

vulnerable

May 23, 2025, 19:05:30
Min -
Max 3.1.3
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bogdan Bendziukov WP Image Mask allows DOM-Based XSS. This issue affects WP Image Mask: from n/a through 3.1.2.

Recent approved applications

Application Date Description Details
Actual on: May 24, 2025, 23:05:41

Header Footer Code Manager

May 20, 2025, 20:05:00 <p>Header Footer Code Manager by 99 Robots is a easy interface to add snippets to the header or footer or above or below the content of your page.</p> <h4>BENEFITS</h4> <ul> <li>Never have to worry about inadvertently breaking your site by adding code</li> <li>Avoid inadvertently placing snippets in the wrong place</li> <li>Eliminate the need for a dozen or more silly plugins just to add a small code snippet &#8211; Less plugins is always better!</li> <li>Never lose your code snippets when switching or chan...

Widgets for Google Reviews

May 06, 2025, 19:05:29 <p>Display your <strong>Google Reviews</strong> for free with our responsive widgets in 2 minutes.</p> <p>The plugin displays your <strong>Google Reviews</strong> in amazing predesigned widgets. You can simply create and display your own widgets, and filter your reviews to build customers&#8217; trust and increase SEO.</p> <div class="embed-vimeo" style="text-align: center;"><iframe loading="lazy" src="https://player.vimeo.com/video/506419798" width="640" height="360" frameborder="0" webkitallowfullscreen m...

JetBackup &#8211; WP Backup, Migrate &amp; Restore

May 05, 2025, 10:05:34 <p>JetBackup is the most complete backup and migration choice for WordPress. We offer the easiest way to <strong>backup</strong>, <strong>restore</strong> and <strong>migrate</strong> your WordPress based website or blog. You can backup/migrate your files, database or both.</p> <p>Download <strong>JetBackup premium versions</strong> here: <a href="https://www.jetbackup.com/jetbackup-for-wordpress" rel="nofollow ugc">https://www.jetbackup.com/jetbackup-for-wordpress</a>.</p> <h4>See JetBackup in Action Here!...

Simple Custom CSS and JS

Apr 25, 2025, 00:04:55 <p>Customize your WordPress site&#8217;s appearance by easily adding custom CSS and JS code without even having to modify your theme or plugin files. This is perfect for adding custom CSS tweaks to your site.</p> <h4>Features</h4> <ul> <li><strong>Text editor</strong> with syntax highlighting </li> <li>Print the code <strong>inline</strong> or included into an <strong>external file</strong></li> <li>Print the code in the <strong>header</strong> or the <strong>footer</strong></li> <li>Add CSS or JS to the <s...

WooCommerce Shipping &amp; Tax

Apr 21, 2025, 19:04:49 <p>WooCommerce Shipping &amp; Tax makes basic eCommerce features like shipping more reliable by taking the burden off of your site’s infrastructure.</p> <p>With WooCommerce Shipping &amp; Tax, critical services are hosted on Automattic’s best-in-class infrastructure, rather than relying on your store’s hosting. That means your store will be more stable and faster.<br /> To use the features, simply install this plugin and activate the ones you want directly in your dashboard. As we add more services, you’ll ...

Flamingo

Apr 16, 2025, 10:04:34 <p>Flamingo is a message storage plugin originally created for <a href="https://wordpress.org/plugins/contact-form-7/" rel="ugc">Contact Form 7</a>, which doesn&#8217;t store submitted messages.</p> <p>After activation of the plugin, you&#8217;ll find <em>Flamingo</em> on the WordPress admin screen menu. All messages through contact forms are listed there and are searchable. With Flamingo, you are no longer need to worry about losing important messages due to mail server issues or misconfiguration in mail s...

Autoptimize

Apr 15, 2025, 17:04:47 <p>Autoptimize makes optimizing your site really easy. It can aggregate, minify and cache scripts and styles, injects CSS in the page head by default but can also inline critical CSS and defer the aggregated full CSS, moves and defers scripts to the footer and minifies HTML. You can optimize and lazy-load images (with support for WebP and AVIF formats), optimize Google Fonts, async non-aggregated JavaScript, remove WordPress core emoji cruft and more. As such it can improve your site&#8217;s performance eve...

Disable Comments &#8211; Remove Comments &amp; Stop Spam [Multi-Site Support]

Mar 12, 2025, 18:03:32 <h4>Disable Comments &#8211; Remove Comments &amp; Stop Spam [Multi-Site Support]</h4> <p>Instantly allow or disallow comments from any post type in WordPress (Pages, Posts, or Media) to stop the spammers and gain complete control over your full website. WP-CLI Support &amp; Control comments via XML-RPC and REST-API too!</p> <p><a href="https://wpdeveloper.com/plugins/disable-comments/" rel="nofollow ugc">More About Plugin</a> ◼️ <a href="https://wpdeveloper.com/docs-category/disable-comments/" rel="nofollo...

W3 Total Cache

Mar 12, 2025, 18:03:31 <p>W3 Total Cache (W3TC) improves the SEO, Core Web Vitals and overall user experience of your site by increasing website performance and reducing load times by leveraging features like content delivery network (CDN) integration and the latest best practices.</p> <p>W3TC is the <strong>only</strong> web host agnostic Web Performance Optimization (WPO) framework for WordPress trusted by millions of publishers, web developers, and web hosts worldwide for more than a decade. It is the total performance solutio...

Maintenance

Feb 26, 2025, 18:02:05 <p>Maintenance plugin allows the WordPress site administrator to close the website for maintenance, enable &#8220;503 Service temporarily unavailable”, set a temporary page with authorization, which can be edited via the plugin settings. Easy customize the good look on all devices. Add your logo, background image, select the desired color, add text. Maintenance uses Bunny Fonts for EU GDPR compliance.</p> <p>Need <strong>pre-made themes</strong> and over 3 million free images to build maintenance, coming so...