AI-Powered CVE Analysis for WordPress Plugins
We use AI to automate the differential analysis between vulnerable and patched plugin versions to understand and interpret the security issues. What we share here is research-grade proof of concept demonstrations that are then fed back into our endpoint firewall service.
WordPress Proof of Concepts
AI-assisted vulnerability analysis with PoC demonstration
June 14, 2026
CVE-2026-10586: Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns <= 6.1.3 Authenticated (Author+) Server-Side Request Forgery PoC, Patch Analysis & Rule
CVE-2026-10586 affects the Essential Blocks plugin for WordPress (up to version 6.1.3) with a CVSS score of 7.2. Authenticated attackers can exploit this SSRF vulnerability, so update to version 6.1.4 to mitigate risks.
June 14, 2026
CVE-2026-49768: Happyforms – Form Builder for WordPress: Drag & Drop Contact Forms, Surveys, Payments & Multipurpose Forms <= 1.26.13 Unauthenticated PHP Object Injection PoC, Patch Analysis & Rule
CVE-2026-49768 affects the Happyforms plugin (up to version 1.26.13) with a CVSS score of 8.1. This high-severity PHP Object Injection vulnerability allows unauthenticated attackers to exploit untrusted input. Update to version 1.26.14...
June 14, 2026
CVE-2026-49769: wpForo Forum <= 3.1.0 Unauthenticated PHP Object Injection PoC, Patch Analysis & Rule
CVE-2026-49769 affects the wpForo plugin for WordPress (up to version 3.1.0) with a CVSS score of 8.1. This high-severity file upload vulnerability allows unauthenticated attackers to exploit PHP Object Injection. Update to 3.1.1 to...
June 14, 2026
CVE-2026-49767: wpForo Forum <= 3.1.0 Missing Authorization PoC, Patch Analysis & Rule
CVE-2026-49767 affects the wpForo plugin for WordPress versions up to 3.1.0, allowing unauthorized access to user profiles. Update to version 3.1.1 to mitigate this medium severity vulnerability (CVSS 5.3).
June 14, 2026
CVE-2026-49763: Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.3.7 Unauthenticated PHP Object Injection PoC, Patch Analysis & Rule
CVE-2026-49763 affects the Cf7 Hubspot plugin (up to v1.3.7) with a CVSS score of 8.1. This high-severity file upload vulnerability allows unauthenticated PHP Object Injection. Update to v1.3.8 to mitigate risks.
June 14, 2026
CVE-2026-49778: WPFunnels Pro <= 2.9.4 Unauthenticated Stored Cross-Site Scripting PoC, Patch Analysis & Rule
CVE-2026-49778 affects WPFunnels Pro plugin versions up to 2.9.4 with a CVSS score of 7.2. This high-severity stored XSS vulnerability allows attackers to inject scripts. Update to the patched version to mitigate risks.
June 14, 2026
CVE-2026-49764: RegistrationMagic – User Registration Forms Plugin <= 6.0.8.6 Missing Authorization PoC, Patch Analysis & Rule
CVE-2026-49764 affects the Custom Registration Form Builder With Submission Manager plugin (up to 6.0.8.6) with a CVSS score of 5.3. Patch to 6.0.8.7 to mitigate unauthorized access risks.
June 14, 2026
CVE-2026-49773: FV Flowplayer Video Player < 7.5.51.7212 Authenticated (Subscriber+) Stored Cross-Site Scripting PoC, Patch Analysis & Rule
CVE-2026-49773 affects the FV Flowplayer Video Player plugin (up to version 7.5.51.7212) with a CVSS score of 6.4. Authenticated attackers can exploit this XSS vulnerability, so ensure timely patching to mitigate risks.
June 14, 2026
CVE-2026-49775: Welcart e-Commerce <= 2.11.28 Missing Authorization PoC, Patch Analysis & Rule
CVE-2026-49775 affects the Usc E Shop plugin (up to v2.11.28) with a CVSS score of 5.3. This medium severity vulnerability allows unauthorized price manipulation. Update to v2.11.29 to mitigate risks.
June 14, 2026
CVE-2026-49771: Photo Gallery by 10Web – Mobile-Friendly Image Gallery <= 1.8.41 Authenticated (Contributor+) SQL Injection PoC, Patch Analysis & Rule
CVE-2026-49771 affects the Photo Gallery plugin for WordPress (up to version 1.8.41) with a medium severity score of 6.5. Authenticated users can exploit this SQL injection vulnerability, so update to version 1.8.42 to mitigate risks.
June 14, 2026
CVE-2026-49077: Wp EMember <= v10.2.2 Unauthenticated Information Exposure PoC, Patch Analysis & Rule
CVE-2026-49077 affects the Wp EMember plugin for WordPress (up to v10.2.2) with a medium severity CVSS score of 5.3. Unauthenticated attackers can extract sensitive data, so patching is essential.
June 14, 2026
CVE-2026-49770: WP Travel Engine – Tour Booking Plugin – Tour Operator Software <= 6.7.12 Unauthenticated PHP Object Injection PoC, Patch Analysis & Rule
CVE-2026-49770 affects the WP Travel Engine plugin (up to version 6.7.12) with a high severity (CVSS 8.1) file upload vulnerability. Upgrade to version 6.8.0 to mitigate risks of PHP object injection.
June 14, 2026
CVE-2026-49774: RD Station <= 5.6.0 Authenticated (Contributor+) Remote Code Execution PoC, Patch Analysis & Rule
CVE-2026-49774 exposes the RD Station plugin for WordPress (up to 5.6.0) to high-severity remote code execution, with a CVSS score of 8.8. Update to version 5.7.2 to mitigate this risk.
June 14, 2026
CVE-2026-49106: Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.6 Unauthenticated PHP Object Injection PoC, Patch Analysis & Rule
CVE-2026-49106 affects the Cf7 Constant Contact plugin (up to v1.1.6) with a high severity CVSS score of 8.1. Unauthenticated PHP Object Injection can lead to serious impacts; update to v1.1.7 to mitigate risks.
June 14, 2026
CVE-2026-49776: GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites <= 2.32.6 Unauthenticated SQL Injection PoC, Patch Analysis & Rule
CVE-2026-49776 affects the GPTranslate plugin for WordPress (versions up to 2.32.6) with a high severity score of 7.5. Unauthenticated SQL injection can expose sensitive data; update to version 2.32.7 to mitigate this risk.
June 14, 2026
CVE-2026-49109: Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.4.3 Unauthenticated PHP Object Injection PoC, Patch Analysis & Rule
CVE-2026-49109 affects the Cf7 Salesforce plugin (up to version 1.4.3) with a high severity CVSS score of 8.1. Unauthenticated PHP object injection can lead to serious security risks; users should upgrade to version 1.4.4.
June 14, 2026
CVE-2026-49765: Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.8 Unauthenticated PHP Object Injection PoC, Patch Analysis & Rule
CVE-2026-49765 affects the Cf7 Mailchimp plugin (up to v1.1.8) with a high severity CVSS score of 8.1. Unauthenticated attackers can exploit a file upload vulnerability. Update to v1.1.9 to mitigate risks.
June 14, 2026
CVE-2026-49113: Cornerstone < 7.8.8 Authenticated (Subscriber+) Arbitrary Code Execution PoC, Patch Analysis & Rule
CVE-2026-49113 affects the Cornerstone plugin for WordPress (up to version 7.8.8) with a CVSS score of 8.8. Authenticated attackers can execute remote code, so ensure you patch to mitigate risks.
June 14, 2026
CVE-2026-49110: Upsell Funnel Builder for WooCommerce – Create Upsells, Cross-Sells, Order Bumps, Frequently Bought, and Popups. <= 3.1.4 Missing Authorization PoC, Patch Analysis & Rule
CVE-2026-49110 affects the Upsell Order Bump Offer For WooCommerce plugin (up to v3.1.4), allowing remote code execution due to missing authorization checks. Upgrade to v3.1.5 to mitigate this medium severity vulnerability.
June 14, 2026
CVE-2026-49781: OttoKit: All-in-One Automation Platform <= 1.1.27 Unauthenticated PHP Object Injection PoC, Patch Analysis & Rule
CVE-2026-49781 affects the Suretriggers plugin for WordPress (up to version 1.1.27) with a high severity (CVSS 8.1) file upload vulnerability. Update to version 1.1.28 to mitigate risks of PHP Object Injection.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet — inspecting, filtering, and blocking malicious traffic before it ever reaches
your application.