AI-Powered CVE Analysis for WordPress Plugins
We use AI to automate the differential analysis between vulnerable and patched plugin versions to understand and interpret the security issues. What we share here is research-grade proof of concept demonstrations that are then fed back into our endpoint firewall service.
WordPress Proof of Concepts
AI-assisted vulnerability analysis with PoC demonstration
May 19, 2026
CVE-2025-15369: Xpro Addons — 140+ Widgets for Elementor <= 1.5.0 – Missing Authorization to Unauthenticated Xpro Template Creation (xpro-elementor-addons)
CVE-2025-15369 affects the Xpro Elementor Addons plugin (v1.5.0) with a medium severity (CVSS 5.3). Unauthenticated attackers can create published templates. Update to the patched version to mitigate this risk.
May 19, 2026
CVE-2026-9010: Boost <= 2.0.3 – Unauthenticated Blind SQL Injection via Multiple Parameters (boost)
CVE-2026-9010 affects the Boost plugin for WordPress (up to version 2.0.3) with a CVSS score of 7.5. Unauthenticated SQL injection can lead to sensitive data exposure; patching is essential.
May 19, 2026
CVE-2026-3985: Creative Mail – Easier WordPress & WooCommerce Email Marketing <= 1.6.9 – Unauthenticated SQL Injection via 'checkout_uuid' Parameter (creative-mail-by-constant-contact)
CVE-2026-3985 affects the Creative Mail By Constant Contact plugin (up to v1.6.9) with a CVSS score of 7.5. This high-severity SQL injection vulnerability can expose sensitive data; patching is essential.
May 19, 2026
CVE-2026-7284: Easy Elements for Elementor <= 1.4.4 – Unauthenticated Privilege Escalation via easyel_handle_register (easy-elements)
CVE-2026-7284 affects the Easy Elements plugin for WordPress (up to version 1.4.4) with a critical CVSS score of 9.8. Unauthenticated attackers can escalate privileges by registering as administrators. Immediate patching is advised.
May 19, 2026
CVE-2026-6405: Anomify AI <= 0.3.6 – Cross-Site Request Forgery (anomify)
CVE-2026-6405 affects the Anomify plugin for WordPress (up to 0.3.6) with a medium severity (CVSS 4.3) XSS vulnerability. Ensure to update to the patched version to mitigate potential attacks via forged requests.
May 19, 2026
CVE-2026-8610: TypeSquare Webfonts for ConoHa <= 2.0.4 – Missing Authorization to Authenticated (Subscriber+) Plugin Settings Modification via 'fontThemeUseType' Parameter (ts-webfonts-for-conoha)
CVE-2026-8610 affects the Ts Webfonts For Conoha plugin for WordPress versions up to 2.0.4, allowing authenticated users to modify settings due to a missing authorization check. Users should update to the patched version to mitigate...
May 19, 2026
CVE-2026-7467: Read More & Accordion <= 3.5.7 – Privilege Escalation via importData (expand-maker)
CVE-2026-7467 affects the Expand Maker plugin (up to version 3.5.7) with a CVSS score of 8.8. This high-severity privilege escalation vulnerability allows authenticated users to create admin accounts. Patch immediately.
May 19, 2026
CVE-2026-8627: Correct Prices <= 1.0 – Reflected Cross-Site Scripting via PHP_SELF Parameter (correct-prices)
CVE-2026-8627 affects the Correct Prices plugin for WordPress (version 1.0) with a medium severity CVSS score of 6.1. Unauthenticated attackers can exploit a reflected XSS vulnerability; ensure you update to the patched version.
May 19, 2026
CVE-2026-7472: Read More & Accordion <= 3.5.7 – Authenticated (Administrator+) SQL Injection via 'orderby' Parameter (expand-maker)
CVE-2026-7472 affects the Expand Maker plugin (up to version 3.5.7) with a medium severity SQL injection vulnerability (CVSS 4.9). Authenticated users can exploit this to extract sensitive data. Patching is advised.
May 19, 2026
CVE-2026-6728: Slider Revolution <= 7.0.9 – Unauthenticated Sensitive Information Exposure via 'sliders/stream' (revslider)
CVE-2026-6728 affects the Revslider plugin for WordPress (up to version 7.0.9) with a medium severity (CVSS 5.3) vulnerability. Unauthenticated attackers can access sensitive data; users should update to the patched version.
May 19, 2026
CVE-2026-8626: SponsorMe <= 0.5.2 – Reflected Cross-Site Scripting via PHP_SELF Parameter (sponsorme)
The SponsorMe plugin for WordPress (up to version 0.5.2) has a medium severity XSS vulnerability (CVE-2026-8626) due to insufficient input sanitization. Users should update to the patched version to mitigate risks.
May 19, 2026
CVE-2026-8624: LJ comments import: reloaded <= 0.97.1 – Reflected Cross-Site Scripting via PHP_SELF Parameter (lj-comments-import-reloaded)
CVE-2026-8624 affects the Lj Comments Import Reloaded plugin for WordPress (up to version 0.97.1) with a medium severity CVSS score of 6.1. Proper input sanitization is crucial to mitigate reflected cross-site scripting risks.
May 19, 2026
CVE-2026-6549: Logo Manager For Enamad <= 0.7.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute (logo-manager-for-enamad)
CVE-2026-6549 affects the Logo Manager For Enamad plugin (up to 0.7.4) with a CVSS score of 6.4. Authenticated users can exploit a Stored XSS vulnerability. Update to the patched version to mitigate risks.
May 18, 2026
CVE-2026-4883: Piotnet Forms <= 2.1.40 – Unauthenticated Arbitrary File Upload via Form File Upload (piotnetforms-pro)
CVE-2026-4883 reveals a critical file upload vulnerability in the Piotnet Forms plugin for WordPress (up to version 2.1.40) with a CVSS score of 9.8. Ensure to patch to mitigate the risk of remote code execution.
May 18, 2026
CVE-2026-4885: Piotnet Addons for Elementor Pro <= 7.1.70 – Unauthenticated Arbitrary File Upload via Form File Upload (piotnet-addons-for-elementor-pro)
CVE-2026-4885 affects the Piotnet Addons for Elementor Pro plugin (up to version 7.1.70) with a critical CVSS score of 9.8. Unauthenticated attackers can upload arbitrary files, risking remote code execution. Update to the patched version.
May 18, 2026
CVE-2026-42639: GD Rating System <= 3.6.2 – Unauthenticated SQL Injection (gd-rating-system)
CVE-2026-42639 affects the GD Rating System plugin for WordPress (up to version 3.6.2) with a CVSS score of 7.5. Unauthenticated SQL Injection can lead to sensitive data exposure; update to version 3.7 to mitigate.
May 18, 2026
CVE-2026-40776: Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) <= 4.1.8 – Missing Authorization (wp-event-solution)
CVE-2026-40776 affects the Wp Event Solution plugin (versions up to 4.1.8) with a CVSS score of 5.3. Unauthenticated attackers can exploit this vulnerability, so update to version 4.1.9 to mitigate the risk.
May 18, 2026
CVE-2026-8912: Contest Gallery <= 28.1.6 – Unauthenticated SQL Injection (contest-gallery)
CVE-2026-8912 affects the Contest Gallery plugin for WordPress (up to 28.1.6) with a CVSS score of 7.5. This high-severity SQL injection vulnerability allows unauthenticated attackers to access sensitive database information. Update to...
May 18, 2026
CVE-2026-42660: Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe <= 28.1.7 – Authenticated (Subscriber+) Sensitive Information Exposure (contest-gallery)
CVE-2026-42660 affects the Contest Gallery plugin for WordPress (up to version 28.1.7) with a CVSS score of 4.3. Authenticated attackers can expose sensitive data; upgrade to version 29.0.0 to mitigate this risk.
May 18, 2026
CVE-2026-42654: Wallet System for WooCommerce – Digital Wallet, Buy Now Pay Later (BNPL), Instant Cashback, Referral program, Partial & Subscription Payments <= 2.7.5 – Missing Authorization (wallet-system-for-woocommerce)
CVE-2026-42654 affects the Wallet System for WooCommerce plugin (up to version 2.7.5) with a CVSS score of 4.3. It allows authenticated attackers to perform unauthorized actions. Upgrade to version 2.7.6 to mitigate this risk.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet — inspecting, filtering, and blocking malicious traffic before it ever reaches
your application.