CleanTalk

18 Mar 2025

WordPress Plugin Developer Security Advisory: CleanTalk

One of the little understood realities of security issues with WordPress plugins is that the insecurity of them is not evenly spread across those plugins. Instead, many developers are properly securing their plugins and others get them properly secured when alerted they haven’t done that. A smaller number of plugin developers either are unable or unwilling to properly secure their plugins. With the latter group, among the issues we have seen, are developers who have introduced new serious vulnerabilities that are substantially similar to vulnerabilities that they know have been exploited in their plugins.

In situations where we become aware of developers who have shown that inability or unwillingness to properly secure their plugin, we are releasing advisories to warn customers of our service and the wider WordPress community of the risk of utilizing those developers’ plugins. In addition to checking those posts on our website for information on those advisory, we provide access to the information in several other forms. That includes through the companion plugin for our service, even when not using the service, as well as through a web browser extension and through separate data accessible from our website. [Read more]

4 Mar 2025

CleanTalk Claims to Vet WordPress Plugins for Insecure Dependencies While Their Security Plugin Contains Known Vulnerable Library

Last week we posted about the three most popular file manager plugins containing a vulnerable version of the jQuery UI library. The inclusion of the vulnerable version of that library was detected by our Plugin Security Scorecard. None of those plugins have been updated to address that yet, despite us notifying the developers a week ago. Over the weekend, another plugin was checked through the tool and identified to contain a vulnerable version of that. Incredibly, it is a security plugin, Security & Malware scan by CleanTalk:

[Read more]

9 Dec 2024

Wordfence and “News” Outlets Recommend Updating WordPress Plugin to Version Still Known to be Vulnerable

What we see over and over is that WordPress security providers and supposed journalists are focused on getting themselves attention while failing to provide useful information that would make WordPress websites more secure. A recent example involved (once again) Wordfence. As usual, they were using a vulnerability in a plugin to promote themselves:

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as these vulnerabilities pose a significant risk. [Read more]

6 Aug 2024

CleanTalk Isn’t Doing Real Security Reviews of WordPress Plugins and Their Plugin Contains Vulnerabilities

Last week we mentioned in a post that security reviews of WordPress plugins would provide a good idea of how secure they are, but those reviews are rarely done. Just prior to writing that post, we ran across a security provider claiming to being do those reviews and a lot of them. That provider being CleanTalk. In checking in to if they were really doing reviews, we found their own plugin, Anti-Spam by CleanTalk, which they just claimed to do a review of and found no issues, contains easy to spot vulnerabilities because of a lack of basic security. That would have been caught by a real review. We found the same missing check in other plugins they claimed to have reviewed.

We have previously noted on our blog multiple instances where CleanTalk either was very confused about security or just being dishonest. In February, we noted that they had greatly overstated the risk of a vulnerability, seemingly, because they lack a basic understanding of securing web apps. In May, we noted they had made up a “critical” vulnerability in a plugin with 100,000+ installs. That same month, we noted they had claimed that a vulnerability in another 100,000+ install plugin had been fixed, when it hadn’t. [Read more]

24 May 2024

CleanTalk Makes Up “Critical” Vulnerability in 100,000+ Install WordPress Plugin

WordPress security providers frequently falsely claim that popular WordPress plugins contain serious vulnerabilities that don’t really exist. One repeat source of those claims is CleanTalk. They recently claimed that the plugin Social Icons Widget & Block by WPZOOM, which has 100,000+ installs, contained “[a] critical security vulnerability” and the “vulnerability exposes websites to the risk of Stored Cross-Site Scripting (XSS) attacks, potentially leading to account takeover and compromising website integrity”. They also claimed that “if an attacker has previously hijacked an administrator or editor account, he can plant a backdoor to regain access back.” In reality, the “attacker” would already have to have complete control of the website and would already be allowed by WordPress to do what is supposed to be the vulnerability.

One critical element in determining the severity of a vulnerability, or if there is even a vulnerability, is what level of access is needed to exploit it. For example, if you need an account on the website, that would usually stop an attacker from exploiting the vulnerability. What is supposed to be the proof of concept for this lacks clear information to determine what level of access is needed, as it states: [Read more]

13 May 2024

Numerous Security Providers Fail to Catch That WP Engine Didn’t Fix Vulnerability in 100,000+ Install WordPress Plugin

When it comes to the very common occurrence of vulnerabilities in WordPress plugins failing to really be fixed, many providers are often involved in that failure. That is the case with a recently disclosed vulnerability in the 100,000+ install plugin Genesis Blocks.

That plugin comes from WP Engine, which markets itself as having a dedicated security team, though, one that keeps “your website vulnerabilities up to date” instead of fixing them: [Read more]

9 Feb 2024

How Our Customers Helped Make WordPress Plugins More Secure, Week of February 9

Our customers provide us with the ability to help make WordPress plugins more secure. Mostly, with plugins they use, but to a lesser extent other plugins. That work often goes unmentioned. So we are highlighting that to help to better understand what is going on and how signing up for our service can help to expand that work.

Vulnerability in WordPress Hosting Benchmark tool Partially Fixed

Last week, we reached out to the developer of the WordPress plugin WordPress Hosting Benchmark tool to let them know that an attempt to fix a vulnerability in their plugin had failed and that the vulnerability was more severe than they claimed. The miss-identification of the issue looks to be caused in part by a competitor of ours, Patchstack, not properly reviewing a claim they received of a vulnerability in the plugin (which is a common occurrence). We looked in to that because at least one of our customers was using the plugin. [Read more]

6 Feb 2024

Information Disclosure Vulnerability in FastDup

We recently had a hacker probing for usage of the WordPress plugin FastDup on our website with the following request:

/wp-content/plugins/fastdup/readme.txt [Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Tag Archives: CleanTalk