AI-Powered CVE Analysis for WordPress Plugins
We use AI to automate the differential analysis between vulnerable and patched plugin versions to understand and interpret the security issues. What we share here is research-grade proof of concept demonstrations that are then fed back into our endpoint firewall service.
WordPress Proof of Concepts
AI-assisted vulnerability analysis with PoC demonstration
2026-01-16
CVE-2026-0820: RepairBuddy <= 4.1116 – Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Signature Upload to Orders (computer-repair-shop)
The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference due to missing capability checks on the wc_upload_and_save_signature_handler function in all versions up to, and including, 4.1116. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary signatures to…
2026-01-16
CVE-2025-14463: Payment Button for PayPal <= 1.2.3.41 – Missing Authorization to Unauthenticated Arbitrary Order Creation (wp-paypal)
The Payment Button for PayPal plugin for WordPress is vulnerable to unauthorized order creation in all versions up to, and including, 1.2.3.41. This is due to the plugin exposing a public AJAX endpoint (`wppaypalcheckout_ajax_process_order`) that processes checkout results without any authentication or server-side verification of the PayPal transaction. This makes it possible for unauthenticated attackers…
2026-01-16
CVE-2025-13725: Gutenberg Thim Blocks <= 1.0.1 – Authenticated (Contributor+) Arbitrary File Read via 'iconSVG' Parameter (thim-blocks)
The Gutenberg Thim Blocks – Page Builder, Gutenberg Blocks for the Block Editor plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 1.0.1. This is due to insufficient path validation in the server-side rendering of the thim-blocks/icon block. This makes it possible for authenticated attackers, with Contributor-level access…
2026-01-16
CVE-2025-8615: CubeWP <= 1.1.26 – Authenticated (Contributor+) Stored Cross-Site Scripting via cubewp_shortcode_taxonomy Shortcode (cubewp-framework)
The CubeWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cubewp_shortcode_taxonomy shortcode in all versions up to, and including, 1.1.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages…
2026-01-16
CVE-2026-0833: Team Section Block <= 2.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Social Network Link (team-section)
The Team Section Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user-supplied social network link URLs. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web…
2026-01-16
CVE-2025-14029: Community Events <= 1.5.6 – Missing Authorization to Unauthenticated Arbitrary Event Approval via 'eventlist' Parameter (community-events)
The Community Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_admin_event_approval() function in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to approve arbitrary events via the 'eventlist' parameter.
2026-01-16
CVE-2025-12168: Phrase TMS Integration for WordPress <= 4.7.5 – Missing Authorization to Authenticated (Subscriber+) Log Deletion (memsource-connector)
The Phrase TMS Integration for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_delete_log' AJAX endpoint in all versions up to, and including, 4.7.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete log files.
2026-01-16
CVE-2025-12129: CubeWP – All-in-One Dynamic Content Framework <= 1.1.27 – Unauthenticated Information Exposure (cubewp-framework)
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private,…
2026-01-16
CVE-2026-0808: Spin Wheel <= 2.1.0 – Unauthenticated Client-Side Prize Manipulation via 'prize_index' Parameter (spin-wheel)
The Spin Wheel plugin for WordPress is vulnerable to client-side prize manipulation in all versions up to, and including, 2.1.0. This is due to the plugin trusting client-supplied prize selection data without server-side validation or randomization. This makes it possible for unauthenticated attackers to manipulate which prize they win by modifying the 'prize_index' parameter sent…
2026-01-16
CVE-2026-0725: Integrate Dynamics 365 CRM <= 1.1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via Field Mapping Configuration (integrate-dynamics-365-crm)
The Integrate Dynamics 365 CRM plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in…
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet — inspecting, filtering, and blocking malicious traffic before it ever reaches
your application.