cleantalk
Vulnerabilities and Security Researches

Shield Security – Smart Bot Blocking & Intrusion Prevention Security, CVE-2025-15370

CVE, Research URL

CVE-2025-15370

Home page URL

Security reports for Shield Security – Smart Bot Blocking & Intrusion Prevention Security

Application

Shield Security – Smart Bot Blocking & Intrusion Prevention Security

Published on
Jan 16, 2026
Research Description
The Shield: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 21.0.9 via the MfaGoogleAuthToggle class due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disable Google Authenticator for any user.
Affected versions
max 21.0.10.
Status
vulnerable
Previous vulnerability researches
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin (CVE-2024-7129) , Sep 15, 2024
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin (CVE-2024-7877) , Oct 17, 2024
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin (CVE-2024-7876) , Oct 17, 2024
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin (CVE-2025-4667) , Jun 15, 2025
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin (CVE-2024-22311) , Jun 07, 2024
New vulnerability
APPExperts – Mobile App Builder for WordPress | WooCommerce to iOS and Android Apps (CVE-2025-68881) , Jan 28, 2026
Simple Calendar – Google Calendar Plugin (CVE-2025-68979) , Jan 28, 2026
Contact Form Builder Plugin: Multi Step Contact Form, Payment Form, Custom Contact Form Plugin by Bit Form (CVE-2025-14901) , Jan 28, 2026
IMGspider – 图片采集抓取插件 (CVE-2026-22482) , Jan 28, 2026
NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor (CVE-2025-15380) , Jan 28, 2026