cleantalk

Vulnerabilities and Security Researches

Recent vulnerability researches

CVE/PSC Application Date Affected versions Description
Actual on: Jul 14, 2026, 10:07:31

CVE-2026-57718

Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

vulnerable

Jul 14, 2026, 14:07:19
Min -
Max 2.0.13
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Unlimited Elements Unlimited Elements For Elementor (Free Widgets, Addons, Templates) unlimited-elements-for-elementor allows Reflected XSS.This issue affects Unlimited Elements For Elementor (Free Widgets, Addons, Templates): from n/a through <= 2.0.12.

CVE-2026-59516

ICS Calendar

vulnerable

Jul 14, 2026, 00:07:22
Min -
Max 12.1.1.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Room 34 Creative Services, LLC ICS Calendar ics-calendar allows Reflected XSS.This issue affects ICS Calendar: from n/a through <= 12.1.1.

CVE-2026-2354

Swiss Toolkit For WP

vulnerable

Jul 13, 2026, 13:07:57
Min -
Max 1.4.6
The Swiss Toolkit For WP plugin for WordPress is vulnerable to arbitrary file upload due to a flawed file type validation bypass in the `upload_extension_files()` function in all versions up to, and including, 1.4.6. The `upload_extension_files()` function hooks into WordPress's `wp_check_filetype_and_ext` filter and uses `strpos()` to check if a filename contains a configured extension string, rather than verifying the actual file extension. This makes it possible for authenticated attackers, with Author-l...

CVE-2026-15301

BuddyHolis TableSearch

vulnerable

Jul 13, 2026, 13:07:28
Min -
Max 1.1.0
The BuddyHolis TableSearch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘placeholder’ parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2026-15291

Better Chat Support &#8211; Chat Bubble and Chat Button with Gutenberg, Elementor and Shortcode

vulnerable

Jul 13, 2026, 13:07:20
Min -
Max 3.1.4
The Chat Help – Click to Chat Button & Form plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.3 via the REST API endpoints /wp-json/chat-help/v1/leads and /wp-json/chat-help/v1/leads/{id}. This is due to the plugin not performing any authentication and authorization checks. This makes it possible for unauthenticated attackers to extract sensitive data including customer names, email addresses, phone numbers, WhatsApp messages, complete geolocation...

CVE-2026-3576

Planyo online reservation system

vulnerable

Jul 13, 2026, 12:07:33
Min -
Max 3.1
The Planyo Online Reservation System plugin for WordPress is vulnerable to Server-Side Request Forgery leading to Local File Inclusion in all versions up to, and including, 3.0. The ulap.php file acts as an AJAX proxy and is directly accessible without WordPress bootstrapping or any authentication. The send_http_post() function validates the host of the provided URL against an allowlist that includes 'localhost', but critically fails to validate the URL scheme/protocol. This makes it possible for unauthenti...

CVE-2025-13968

Starboard Suite Reservation Calendars

vulnerable

Jul 13, 2026, 08:07:19
Min -
Max 3.1.5
The Starboard Suite Reservation Calendars plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in the [starboard-suite-lightbox] shortcode in all versions up to, and including, 3.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2026-7559

Affilia Lite &#8211; Affiliate Program With MLM

vulnerable

Jul 13, 2026, 07:07:20
Min -
Max 3.3.4
The Affilia – Affiliate Program & Referral Tracking for WordPress plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 3.3.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to approve or reject affiliate referrals, credit commissions to affiliate wallets, delete referral records, and modify custom banner plugin options, enabl...

CVE-2026-15283

WPvivid Backup for MainWP

vulnerable

Jul 13, 2026, 06:07:56
Min -
Max 0.9.34
The WPvivid Backup for MainWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 0.9.33 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has bee...

CVE-2026-9017

NEX-Forms &#8211; Ultimate Form Builder &#8211; Contact forms and much more

vulnerable

Jul 13, 2026, 06:07:43
Min -
Max 9.2.3
The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 9.2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the saved_admin_email, saved_user_email, and saved_user_email_address fields of arbitrary form entries belonging to other users, and cause the site to dispatch attacker-controlled email content...

Recent approved applications

Application Date Description Details
Actual on: Jul 14, 2026, 10:07:31

Jetpack – WP Security, Backup, Speed, & Growth

Jun 25, 2026, 16:06:39 Security and performance suites operate across many areas of a WordPress installation, including backups, malware scanning, content delivery, statistics, forms, and social publishing. That makes them operationally useful, but also security-sensitive because a broad plugin footprint can affect privileged settings, connected service tokens, public scripts, and administrator workflows. Jetpack - WP Security, Backup, Speed, and Growth version 15.9.1 has successfully completed the CleanTalk Plugin Security Certi...

Admin and Site Enhancements (ASE)

Jun 25, 2026, 16:06:39 Administrative enhancement plugins concentrate many privileged controls in one interface, including editor behavior, media tools, SMTP settings, menu changes, and site management modules. That makes them efficient for administrators, but also security-sensitive because broad settings can affect core WordPress behavior. Admin and Site Enhancements (ASE) version 8.8.5 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64673, confirming that the plugin was revi...

Really Simple CAPTCHA

Jun 25, 2026, 16:06:39 CAPTCHA helper plugins sit close to form submission flows, generated challenge files, temporary tokens, and validation results used by other plugins. That makes them useful against automated abuse, but also security-sensitive because weak file handling or predictable challenge behavior can affect public forms. Really Simple CAPTCHA version 2.4 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64669, confirming that the plugin was reviewed from a secure code...

Mailchimp for WooCommerce

Jun 25, 2026, 16:06:39 Email marketing integrations process order activity, customer profiles, product metadata, cart events, and API credentials. That makes them useful for store communication, but also security-sensitive because customer related data moves between WooCommerce and an external marketing platform. Mailchimp for WooCommerce version 6.1.1 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64671, confirming that the plugin was reviewed from a secure code perspective w...

Font Awesome

Jun 25, 2026, 16:06:39 Icon plugins affect the editor, public markup, scripts, styles, and sometimes external kit configuration. That makes them convenient for visual design, but also security-sensitive because stored icon settings and asset URLs can become part of the public HTML served to visitors. Font Awesome version 5.1.5 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64668, confirming that the plugin was reviewed from a secure code perspective with attention to common ex...

Pinterest for WooCommerce

Jun 25, 2026, 16:06:39 Commerce marketing integrations handle product data, tracking events, connected account settings, and background synchronization. That makes them valuable for store growth, but also security-sensitive because merchant configuration and catalog data can affect both customer privacy and public product visibility. Pinterest for WooCommerce version 1.4.27 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64670, confirming that the plugin was reviewed from a sec...

Facebook Chat Plugin &#8211; Live Chat Plugin for WordPress

Jun 25, 2026, 16:06:39 Live chat plugins add third-party scripts, public widgets, and administrator managed page identifiers to WordPress pages. That makes them useful for customer communication, but also security-sensitive because stored settings are rendered to visitors and external script behavior becomes part of the public site surface. Facebook Chat Plugin - Live Chat Plugin for WordPress version 2.5 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64667, confirming that th...

Page Optimize

Jun 25, 2026, 16:06:39 Page optimization plugins change how scripts, styles, and front-end resources are loaded. That makes them useful for performance, but also security-sensitive because optimized output becomes part of every public page and can affect forms, commerce, analytics, and security controls. Page Optimize version 0.6.3 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64674, confirming that the plugin was reviewed from a secure code perspective with attention to comm...

Advanced Google reCAPTCHA

Jun 25, 2026, 16:06:39 Anti-spam plugins protect login, registration, comment, and public form paths. That makes them useful against automated abuse, but also security-sensitive because enforcement failures can leave high-value endpoints exposed or block legitimate visitors from expected workflows. Advanced Google reCAPTCHA version 5.39 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64672, confirming that the plugin was reviewed from a secure code perspective with attention to...

Instant Images &#8211; One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels

May 26, 2026, 14:05:15 Image import plugins bridge WordPress with external media providers, proxy services, remote image URLs, metadata processing, and the local Media Library. That workflow improves publishing speed, but it also expands the attack surface around remote downloads, MIME validation, alt text and caption handling, attribution metadata, and editor integrations. Instant Images version 7.1.1 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64662, confirming that the p...