AI-Powered CVE Analysis for WordPress Plugins
We use AI to automate the differential analysis between vulnerable and patched plugin versions to understand and interpret the security issues. What we share here is research-grade proof of concept demonstrations that are then fed back into our endpoint firewall service.
WordPress Proof of Concepts
AI-assisted vulnerability analysis with PoC demonstration
May 20, 2026
CVE-2026-8424: Remove Yellow BGBOX <= 1.0 – Cross-Site Request Forgery (remove-yellow-bgbox)
CVE-2026-8424 affects the Remove Yellow BGBOX plugin (v1.0) with a medium severity CVSS score of 4.3. Unauthenticated attackers can exploit this CSRF vulnerability to reset plugin settings. Patching is recommended.
May 20, 2026
CVE-2026-8418: Games Catalog <= 1.2.0 – Cross-Site Request Forgery to Arbitrary Game/Post Deletion (game-catalog)
CVE-2026-8418 affects the Game Catalog plugin for WordPress (up to v1.2.0) with a medium severity (CVSS 4.3) CSRF vulnerability. Unauthenticated attackers can delete game entries by tricking admins. Update to the patched version.
May 20, 2026
CVE-2026-6456: Account Switcher <= 1.0.2 – Authenticated (Subscriber+) Authentication Bypass to Privilege Escalation (account-switcher)
CVE-2026-6456 affects the Account Switcher plugin for WordPress (up to version 1.0.2) with a high severity CVSS score of 8.8. Authenticated attackers can exploit this vulnerability to escalate privileges, so immediate patching is essential.
May 20, 2026
CVE-2026-7462: VatanSMS WP SMS <= 1.01 – Reflected Cross-Site Scripting via 'page' Parameter (wp-sms-vatansms-com)
CVE-2026-7462 affects the VatanSMS WP SMS plugin (up to version 1.01) with a CVSS score of 6.1. This medium severity reflected XSS vulnerability requires admin interaction to exploit. No patch is currently available.
May 20, 2026
CVE-2026-8419: Amazon Scraper <= 1.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Update (amazon-scraper)
CVE-2026-8419 affects the Amazon Scraper plugin for WordPress, version 1.1 and earlier. This medium severity CSRF vulnerability allows attackers to inject scripts if an admin is tricked into clicking a link. Patching is essential.
May 20, 2026
CVE-2026-6452: Bigfishgames Syndicate <= 1.2 – Cross-Site Request Forgery to Settings Reset and Update (bigfishgames-syndicate)
CVE-2026-6452 affects the Bigfishgames Syndicate plugin (up to version 1.2) with a medium severity CVSS score of 4.3. Proper nonce validation is missing, allowing CSRF attacks. Update to the patched version to mitigate risks.
May 20, 2026
CVE-2026-8420: BLOGCHAT Chat System <= 1.3.6.3 – Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Update (blogchat-chat-system)
CVE-2026-8420 affects the Blogchat Chat System plugin for WordPress (up to v1.3.6.3) with a medium severity CVSS score of 6.1. Ensure nonce validation is implemented to mitigate the risk of CSRF and XSS attacks.
May 20, 2026
CVE-2026-6401: Bottom Bar <= 0.1.7 – Cross-Site Request Forgery to Settings Update (bottom-bar)
CVE-2026-6401 affects the Bottom Bar plugin for WordPress (up to version 0.1.7) with a CVSS score of 4.3. This medium-severity CSRF vulnerability allows attackers to manipulate plugin settings. Update to the patched version to mitigate...
May 20, 2026
CVE-2026-6400: Child Height Predictor by Ostheimer <= 1.3 – Cross-Site Request Forgery to Settings Update via Plugin Settings Form (child-height-predictor)
CVE-2026-6400 affects the Child Height Predictor plugin for WordPress (up to version 1.3) with a CVSS score of 4.3. Ensure you update to the patched version to mitigate the risk of unauthorized changes via CSRF.
May 20, 2026
CVE-2026-6404: Anomify AI <= 0.3.6 – Authenticated (Administrator+) Stored Cross-Site Scripting via 'anomify_api_key' Parameter (anomify)
CVE-2026-6404 affects the Anomify plugin (up to version 0.3.6) with a medium severity score of 4.4. Authenticated admins can exploit stored XSS via the 'anomify_api_key' parameter. Update to the patched version to mitigate risks.
May 20, 2026
CVE-2026-6399: General Options <= 1.1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via 'ad_contact_number' Parameter (general-options)
CVE-2026-6399 affects the General Options plugin for WordPress (up to 1.1.0) with a CVSS score of 4.4. Authenticated admins can exploit stored XSS via the 'ad_contact_number' field, making timely patching essential.
May 20, 2026
CVE-2026-6395: Word 2 Cash <= 0.9.2 – Cross-Site Request Forgeryto Stored Cross-Site Scripting via Settings Page (word-2-cash)
CVE-2026-6395 affects the Word 2 Cash plugin (up to version 0.9.2) with a medium severity (CVSS 6.1) vulnerability. Unauthenticated attackers can exploit this for stored XSS. Update to the patched version to mitigate risks.
May 20, 2026
CVE-2026-6397: Sticky <= 2.5.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'readmoretext' Shortcode Attribute (sticky)
CVE-2026-6397 affects the Sticky plugin for WordPress (up to version 2.5.6) with a CVSS score of 6.4. Authenticated attackers can exploit a stored XSS vulnerability, so patching is essential to mitigate risks.
May 19, 2026
CVE-2026-7637: Boost <= 2.0.3 – Unauthenticated PHP Object Injection via STYXKEY-BOOST_USER_LOCATION Cookie (boost)
CVE-2026-7637 is a critical PHP Object Injection vulnerability in the Boost plugin for WordPress (up to 2.0.3) with a CVSS score of 9.8. Users should patch immediately to mitigate risks, especially if other vulnerable plugins are present.
May 19, 2026
CVE-2026-7613: Cost of Goods by PixelYourSite <= 1.2.12 – Unauthenticated Stored Cross-Site Scripting via Cost of Goods Import (pixel-cost-of-goods)
CVE-2026-7613 affects the Pixel Cost Of Goods plugin for WordPress (up to 1.2.12) with a high severity CVSS score of 7.2. Unauthenticated attackers can exploit stored XSS vulnerabilities, making timely patching essential.
May 19, 2026
CVE-2026-7522: Advanced Database Cleaner – Premium <= 4.1.0 – Authenticated (Subscriber+) Local File Inclusion via 'template' (advanced-database-cleaner-premium)
CVE-2026-7522 affects the Advanced Database Cleaner Premium plugin (up to v4.1.0) with a CVSS score of 8.8. Authenticated attackers can exploit this high-severity flaw for Local File Inclusion, risking sensitive data and code execution.
May 19, 2026
CVE-2026-6566: Photo Gallery, Sliders, Proofing and Themes <= 4.2.0 – Insecure Direct Object Reference to Authenticated (Subscriber+) Image Deletion via REST API (nextgen-gallery)
CVE-2026-6566 affects the NextGEN Gallery plugin for WordPress (up to 4.2.0) with a medium severity CVSS score of 4.3. Authenticated users can delete others' images; update to 4.2.1 to mitigate this risk.
May 19, 2026
CVE-2026-5075: All in One SEO <= 4.9.7 – Authenticated (Contributor+) Sensitive Information Exposure via 'internalOptions' Localized Script Data (all-in-one-seo-pack)
CVE-2026-5075 affects All in One SEO Pack versions up to 4.9.7, allowing authenticated users to access sensitive data like API tokens. Update to the patched version to mitigate this medium-severity vulnerability.
May 19, 2026
CVE-2026-5200: AcyMailing <= 10.8.2 – Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via 'acymailing_router' (acymailing)
CVE-2026-5200 affects the AcyMailing plugin (up to version 10.8.2) with a CVSS score of 8.8. Authenticated attackers can exploit this high-severity flaw to modify configurations and potentially take over admin accounts. Upgrade to 10.9.0.
May 19, 2026
CVE-2026-2955: AI Chatbot & Workflow Automation by AIWU <= 1.4.14 – Unauthenticated Stored Cross-Site Scripting via 'X-Forwarded-For' Header (ai-copilot-content-generator)
CVE-2026-2955 affects the Ai Copilot Content Generator plugin for WordPress (up to v1.4.14) with a medium severity CVSS of 6.4. Patch to v1.4.15 to mitigate stored XSS risks from unauthenticated attackers.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet — inspecting, filtering, and blocking malicious traffic before it ever reaches
your application.