cleantalk

Vulnerabilities and Security Researches

Recent vulnerability researches

CVE/PSC Application Date Affected versions Description
Actual on: Jul 08, 2026, 22:07:16

CVE-2026-3688

WCFM Membership – WooCommerce Memberships for Multivendor Marketplace

vulnerable

Jul 09, 2026, 03:07:11
Min -
Max 2.11.11
The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.10. This is due to the 'wcfmvm_membership_change' AJAX action not validating user permission to modify other users. This makes it possible for authenticated attackers, with vendor level access and above, to change any user's role to 'wcfm_vendor' by changing their membership plan.

CVE-2024-6228

WANotifier – Send Message Notifications Using Cloud API

vulnerable

Jul 08, 2026, 22:07:17
Min -
Max 2.6
The Notifications for Forms & WordPress Actions WordPress plugin before 2.6 does not validate a user-supplied value before using it to build a server-side file inclusion path, allowing authenticated users with subscriber-level access and above to include and execute arbitrary local PHP files on the server.

CVE-2026-6459

Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders

vulnerable

Jul 08, 2026, 19:07:47
Min -
Max 6.6.3
The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Event Calendar widget in all versions up to, and including, 6.6.2 due to insufficient input sanitization and output escaping on event titles sourced from The Events Calendar. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page...

CVE-2026-6382

FileOrganizer – Manage WordPress and Website Files

vulnerable

Jul 08, 2026, 19:07:30
Min -
Max 1.1.9
The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operations, allowing authenticated users to perform OS Command Injection. This requires the server to have the ImageMagick convert CLI available without either the PHP imagick or GD extensions.

CVE-2026-11962

FileOrganizer – Manage WordPress and Website Files

vulnerable

Jul 08, 2026, 19:07:30
Min -
Max 1.2.0
The FileOrganizer WordPress plugin before 1.2.0 does not validate the file type on several of its file-management operations, allowing authenticated users who have been granted file-manager access — which its premium add-on can extend to sub-administrator roles — to upload arbitrary PHP files and achieve remote code execution. This is an incomplete fix of CVE-2024-7985, which only added file-type validation to the upload operation.

CVE-2026-11855

Simple Membership

vulnerable

Jul 08, 2026, 17:07:40
Min -
Max 4.7.5
The Simple Membership WordPress plugin before 4.7.5 does not verify the authenticity of Stripe webhook requests when no signing secret is configured, nor escape a value taken from them before outputting it in an administrator notice, allowing unauthenticated attackers to inject arbitrary web scripts that execute in the context of a logged-in administrator.

CVE-2026-6101

AMP for WP – Accelerated Mobile Pages

vulnerable

Jul 08, 2026, 14:07:34
Min -
Max 1.1.13
The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Arbitrary File Write in versions up to and including 1.1.12. This is due to unsafe ZIP file extraction in the ampforwp_save_local_font() function combined with inadequate cleanup that fails to remove nested directories and files. This makes it possible for authenticated attackers, with Author-level access and above, and permissions granted by an Administrator, to write arbitrary files to the server in a web-accessible location, ...

CVE-2026-12002

Smash Balloon Social Photo Feed – Best Social Feed Plugin for WordPress

vulnerable

Jul 08, 2026, 13:07:24
Min -
Max 6.11.2
Smash Balloon Social Photo Feed – Easy Social Feeds Plugin [instagram-feed] < 6.11.2 CVE-2026-12002

CVE-2026-6382

File Manager Pro &#8211; Filester

vulnerable

Jul 08, 2026, 12:07:52
Min -
Max 2.1.1
The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operations, allowing authenticated users to perform OS Command Injection. This requires the server to have the ImageMagick convert CLI available without either the PHP imagick or GD extensions.

CVE-2026-11328

Exclusive Addons for Elementor

vulnerable

Jul 08, 2026, 12:07:11
Min -
Max 2.7.9.9
The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post title parameter in all versions up to, and including, 2.7.9.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.