AI-Powered CVE Analysis for WordPress Plugins
We use AI to automate the differential analysis between vulnerable and patched plugin versions to understand and interpret the security issues. What we share here is research-grade proof of concept demonstrations that are then fed back into our endpoint firewall service.
WordPress Proof of Concepts
AI-assisted vulnerability analysis with PoC demonstration
2026-01-13
CVE-2025-13627: Makesweat <= 0.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via 'makesweat_clubid' Setting (makesweat)
The Makesweat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'makesweat_clubid' setting in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a…
2026-01-13
CVE-2026-0680: Real Post Slider Lite <= 2.4 – Authenticated (Administrator+) Stored Cross-Site Scripting via Settings (real-post-slider-lite)
The Real Post Slider Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever…
2026-01-13
CVE-2025-12178: SpiceForms Form Builder <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode (spiceforms-form-builder)
The SpiceForms Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'spiceforms' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in…
2026-01-13
CVE-2025-14482: Crush.pics Image Optimizer <= 1.8.7 – Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update (crush-pics)
The Crush.pics Image Optimizer - Image Compression and Optimization plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple functions in all versions up to, and including, 1.8.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings including disabling auto-compression and…
2026-01-13
CVE-2025-15021: Gotham Block Extra Light <= 1.5.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings (gotham-block-extra-light)
The Gotham Block Extra Light plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute…
2026-01-13
CVE-2026-0678: Shipping Rates by City for WooCommerce <= 1.0.3 – Authenticated (Shop Manager+) SQL Injection via 'cities' Parameter (flat-shipping-rate-by-city-for-woocommerce)
The Flat Shipping Rate by City for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the 'cities' parameter in all versions up to, and including, 1.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers,…
2026-01-13
CVE-2025-14389: WPBlogSyn <= 1.0 – Cross-Site Request Forgery to Arbitrary Remote Sync Configuration Update (wpblogsync)
The WPBlogSyn plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the plugin's remote sync settings via a forged request granted they can trick a site administrator into performing an…
2026-01-13
CVE-2025-14613: GetContentFromURL <= 1.0 – Authenticated (Contributor+) Server-Side Request Forgery via 'url' Shortcode Attribute (getcontentfromurl)
The GetContentFromURL plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0. This is due to the plugin using wp_remote_get() instead of wp_safe_remote_get() to fetch content from a user-supplied URL in the 'url' parameter of the [gcfu] shortcode. This makes it possible for authenticated attackers, with Contributor-level access…
2026-01-13
CVE-2025-14880: Netcash WooCommerce Payment Gateway <= 4.1.3 – Missing Authorization to Unauthenticated Order Status Modification (netcash-pay-now-payment-gateway-for-woocommerce)
The Netcash WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_return_url function in all versions up to, and including, 4.1.3. This makes it possible for unauthenticated attackers to mark any WooCommerce order as processing/completed.
2026-01-13
CVE-2025-15020: Gotham Block Extra Light <= 1.5.0 – Authenticated (Contributor+) Arbitrary File Read via 'ghostban' Shortcode (gotham-block-extra-light)
The Gotham Block Extra Light plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.5.0 via the 'ghostban' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet — inspecting, filtering, and blocking malicious traffic before it ever reaches
your application.