Vulnerabilities and Security Researches

Recent vulnerability researches
CVE/PSC	Application	Date	Affected versions	Description
			Actual on: Nov 18, 2025, 08:11:50
CVE-2025-11880	SM CountDown Widget vulnerable	Nov 14, 2025, 17:11:52	Min - Max 1.2	The SM CountDown Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's smcountdown shortcode in versions less than, or equal to, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-49948	WP Super Edit vulnerable	Nov 12, 2025, 07:11:33	Min - Max 2.5.4	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ahmad Awais WP Super Edit wp-super-edit allows Reflected XSS.This issue affects WP Super Edit: from n/a through <= 2.5.4.
CVE-2025-12137	Import WP – Export and Import CSV and XML files to WordPress vulnerable	Nov 12, 2025, 02:11:01	Min - Max 2.14.17	The Import WP – Export and Import CSV and XML files to WordPress plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.14.16. This is due to the plugin's REST API endpoint accepting arbitrary absolute file paths without proper validation in the 'attach_file()' function when handling 'file_local' actions. This makes it possible for authenticated attackers, with administrator-level access and above, to read arbitrary files on the server's filesystem, including sensi...
CVE-2025-11857	XX2WP Integration Tools vulnerable	Nov 12, 2025, 01:11:59	Min - Max 2.0.0	The XX2WP Integration Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mxp_fb2wp_display_embed' shortcode in all versions up to, and including, 1.9.9. This is due to the plugin not properly sanitizing user input and output of the 'post_id' parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-11841	Greenshift – animation and page builder blocks vulnerable	Nov 11, 2025, 21:11:39	Min - Max 12.2.8	The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Chart Data attributes in all versions up to, and including, 12.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-49905	Range Slider AddOn for Gravity Forms vulnerable	Nov 11, 2025, 21:11:15	Min - Max 1.1.7	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PluginsCafe Range Slider Addon for Gravity Forms range-slider-addon-for-gravity-forms allows Reflected XSS.This issue affects Range Slider Addon for Gravity Forms: from n/a through <= 1.1.6.
CVE-2025-62040	YOP Poll vulnerable	Nov 11, 2025, 21:11:12	Min - Max 6.5.38	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in YOP YOP Poll yop-poll.This issue affects YOP Poll: from n/a through <= 6.5.37.
CVE-2025-12112	Insert Headers and Footers Code – HT Script vulnerable	Nov 11, 2025, 21:11:09	Min - Max 1.1.7	The Insert Headers and Footers Code – HT Script plugin for WordPress is vulnerable to Stored Cross-Site Scripting via adding scripts in all versions up to, and including, 1.1.6 due to insufficient capability checks. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-49398	Easy Appointments vulnerable	Nov 11, 2025, 20:11:58	Min - Max 3.12.14	Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Easy Appointments Easy Appointments easy-appointments allows Code Injection.This issue affects Easy Appointments: from n/a through <= 3.12.14.
CVE-2025-10293	Keyy Two Factor Authentication (like Clef) vulnerable	Nov 11, 2025, 20:11:48	Min - Max 1.2.3	The Keyy Two Factor Authentication (like Clef) plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.2.3. This is due to the plugin not properly validating a user's identity associated with a token generated. This makes it possible for authenticated attackers, with subscriber-level access and above, to generate valid auth tokens and leverage that to auto-login as other accounts, including administrators, as long as the administrator has the 2...

Recent approved applications
Application	Date	Description	Details
			Actual on: Nov 18, 2025, 08:11:50
Redis Object Cache	Sep 17, 2025, 11:09:45	Redis Object Cache 2.6.5 is a persistent object cache backend powered by Redis, designed to enhance WordPress performance and scalability. It supports multiple PHP clients such as Predis, PhpRedis (PECL), and Relay, while offering advanced features like replication, sentinels, clustering, and seamless WP-CLI integration. Administrators can configure connection parameters, customize key prefixes, and set up replication or clustering to ensure optimal performance and reliability. For enterprise environments...
PDF Embedder	Sep 11, 2025, 11:09:45	PDF Embedder is a powerful WordPress plugin that allows you to upload and embed PDF files directly into posts and pages, offering seamless document presentation with responsive design. Unlike other plugins that rely on iframes, PDF Embedder uses a unique JavaScript-based rendering method that gives site administrators complete control over the look, sizing, and navigation of embedded PDFs. The plugin ensures that all PDF files and associated scripts are served from your own server, guaranteeing both faster...
Category Order and Taxonomy Terms Order	Sep 08, 2025, 11:09:45	Category Order and Taxonomy Terms Order is a lightweight yet powerful WordPress plugin that enables administrators to reorder categories and custom taxonomy terms with a drag-and-drop interface. Developed by Nsp-Code, this plugin enhances site structure and usability without requiring theme or plugin modifications. While primarily a tool for content organization, it also interacts directly with queries and the WordPress admin environment—areas where poorly implemented code could create vulnerabilities. Tha...
Meta pixel for WordPress	Sep 05, 2025, 10:09:48	Meta Pixel for WordPress is a lightweight and powerful plugin that allows website owners to easily integrate the Meta Pixel (formerly Facebook Pixel) into their WordPress site. With this plugin, site administrators can track critical events such as Lead, ViewContent, AddToCart, InitiateCheckout, and Purchase, while also leveraging the Conversions API for more reliable data collection. By combining the Pixel with the Conversions API, businesses can establish a direct, server-to-server connection with Meta s...
WP-PageNavi	Sep 05, 2025, 10:09:44	WP-PageNavi is one of the most widely used plugins for adding advanced paging navigation to WordPress. Instead of the basic “Older posts \| Newer posts” links, it provides a more user-friendly and customizable pagination interface that improves navigation across archives, blogs, and multipage posts. With a long-standing reputation for reliability, WP-PageNavi is trusted by thousands of site owners to enhance usability. Now, with the Plugin Security Certification (PSC-2025-64594) by CleanTalk, WP-PageNavi ha...
Redux Framework	Aug 28, 2025, 11:08:45	The Redux Framework has long been the go-to options framework for WordPress developers. It provides an extensible, fully responsive environment for building option panels, customizer controls, and advanced UI fields for themes and plugins. By saving developers months of work, Redux accelerates innovation while maintaining a clean, standards-based architecture. With the release of version 4.5.7, Redux Framework has officially achieved the Plugin Security Certification (PSC-2025-64592) by CleanTalk, confirmi...
GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent)	Aug 26, 2025, 10:08:33	Ensuring compliance with GDPR, CCPA, DSGVO, and other global privacy regulations is critical for every WordPress-powered website. The GDPR Cookie Compliance plugin (v5.0.9) provides an all-in-one solution for cookie consent management, offering flexibility, transparency, and full compliance with international data protection laws. With its latest achievement, the plugin has been awarded the Plugin Security Certification (PSC-2025-64591) by CleanTalk, guaranteeing that its codebase is secure, hardened, and ...
WP Activity Log	Aug 21, 2025, 21:08:55	WP Activity Log is a powerful WordPress plugin designed to provide detailed, real-time logging of all activities across your WordPress sites and multisite networks. From user login attempts to changes in posts, plugins, themes, and settings, this plugin gives administrators full visibility into everything that happens on their websites. With its granular event tracking, WP Activity Log helps site owners improve security, accountability, compliance, and troubleshooting. Administrators can detect suspicious ...
Superb Addons – WordPress Editor Blocks & Patterns and Elementor Sections & Elements	Aug 21, 2025, 13:08:55	Now, with its successful completion of the Plugin Security Certification (PSC-2025-64588) by CleanTalk, Superb Addons not only delivers cutting-edge features but also guarantees code-level security and reliability. This certification proves that the plugin has been rigorously tested against the most common and dangerous vulnerabilities in the WordPress ecosystem.
PHP Compatibility Checker	Aug 21, 2025, 09:08:19	PHP Compatibility Checker is a WordPress plugin developed by WP Engine that helps site administrators and developers analyze their WordPress themes and plugins for compatibility with modern PHP versions. As WordPress continues to evolve, maintaining compatibility with supported PHP versions is a crucial factor for both performance and security. Outdated PHP releases no longer receive security updates, leaving websites at risk of vulnerabilities. This plugin empowers users to safely transition to newer PHP ...

Recent vulnerability researches

Recent approved applications