AI-Powered CVE Analysis for WordPress Plugins
We use AI to automate the differential analysis between vulnerable and patched plugin versions to understand and interpret the security issues. What we share here is research-grade proof of concept demonstrations that are then fed back into our endpoint firewall service.
WordPress Proof of Concepts
AI-assisted vulnerability analysis with PoC demonstration
May 18, 2026
CVE-2026-42629: PowerPack Pro for Elementor < v2.13.0 – Missing Authorization (powerpack-elements)
CVE-2026-42629 affects the PowerPack Elements plugin for WordPress, allowing unauthorized access due to missing capability checks. Update to version 2.13.0 to mitigate this medium severity vulnerability (CVSS 5.3).
May 18, 2026
CVE-2026-40795: Booking for Appointments and Events Calendar – Amelia <= 2.2 – Missing Authorization (ameliabooking)
CVE-2026-40795 affects the Amelia Booking plugin for WordPress (up to version 2.2) with a medium severity (CVSS 4.3). Ensure you update to version 2.2.1 to mitigate unauthorized access risks.
May 18, 2026
CVE-2026-42655: Paymattic – Secure, Simple Payment & Donation with Subscription Payments, Recurring Donations, Customer Management <= 4.6.19 – Missing Authorization (wp-payment-form)
CVE-2026-42655 affects the Wp Payment Form plugin (up to v4.6.19) with a CVSS score of 5.3. Unauthenticated attackers can manipulate payment submissions. Update to v4.6.20 to mitigate this vulnerability.
May 18, 2026
CVE-2026-5306: Check & Log Email – Easy Email Testing & Mail logging < 2.0.13 – Unauthenticated Stored Cross-Site Scripting (check-email)
CVE-2026-5306 affects the Check Email plugin (up to version 2.0.13) with a CVSS score of 7.2 due to stored XSS vulnerabilities. Users should update to the patched version to mitigate potential attacks.
May 18, 2026
CVE-2026-42647: JoomSport – for Sports: Team & League, Football, Hockey & more <= 5.7.7 – Unauthenticated SQL Injection (joomsport-sports-league-results-management)
CVE-2026-42647 reveals a high severity SQL Injection vulnerability in the Joomsport Sports League Results Management plugin for WordPress (versions up to 5.7.7). Unauthenticated attackers can exploit this flaw to access sensitive...
May 18, 2026
CVE-2026-42384: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin < 1.6.11.2 – Unauthenticated Sensitive Information Exposure (simply-schedule-appointments)
CVE-2026-42384 affects Simply Schedule Appointments plugin versions up to 1.6.11.1, exposing sensitive data to unauthenticated users. Update to version 1.6.11.2 to mitigate this medium severity vulnerability.
May 18, 2026
CVE-2026-42412: User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.3.1 – Missing Authorization (wp-user-frontend)
CVE-2026-42412 affects the Wp User Frontend plugin (up to version 4.3.1) with a medium severity CVSS score of 5.3. Unauthenticated attackers can exploit this vulnerability, so update to version 4.3.2 to mitigate risks.
May 18, 2026
CVE-2026-42410: TheGem Theme Elements < 5.12.1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting (thegem-elements-elementor)
CVE-2026-42410 affects TheGem Elements Elementor plugin (up to 5.12.1.1) with a medium severity (CVSS 6.4). Authenticated attackers can exploit this XSS vulnerability, so ensure timely patching to mitigate risks.
May 18, 2026
CVE-2026-42649: Favicon Rotator <= 1.2.11 – Unauthenticated Stored Cross-Site Scripting (favicon-rotator)
CVE-2026-42649 affects the Favicon Rotator plugin for WordPress (up to version 1.2.11) with a CVSS score of 7.2. Unauthenticated attackers can exploit this stored XSS vulnerability; update to version 1.2.12 to mitigate.
May 18, 2026
CVE-2026-42379: Templately – Elementor & Gutenberg Template Library: 6500+ Free & Pro Ready Templates And Cloud! <= 3.6.1 – Authenticated (Contributor+) Information Exposure (templately)
CVE-2026-42379 affects the Templately plugin for WordPress (up to version 3.6.1) with a CVSS score of 4.3. Authenticated attackers can access sensitive data; update to version 3.6.2 to mitigate this risk.
May 18, 2026
CVE-2026-42386: Order Delivery Date for WooCommerce <= 4.5.1 – Unauthenticated SQL Injection (order-delivery-date-for-woocommerce)
CVE-2026-42386 affects the Order Delivery Date For WooCommerce plugin (up to v4.5.1) with a CVSS score of 7.5. Patch to v4.5.2 to mitigate this high-severity SQL injection vulnerability that exposes sensitive database information.
May 18, 2026
CVE-2026-42385: Profile Builder Pro <= 3.15.0 – Unauthenticated Stored Cross-Site Scripting (profile-builder-pro)
CVE-2026-42385 affects Profile Builder Pro versions up to 3.15.0, with a CVSS score of 7.2. This high-severity stored XSS vulnerability allows unauthenticated attackers to inject scripts. Ensure you update to the patched version.
May 18, 2026
CVE-2026-42381: FunnelKit – Funnel Builder for WooCommerce Checkout <= 3.15.0.1 – Unauthenticated SQL Injection (funnel-builder)
CVE-2026-42381 affects the Funnel Builder plugin for WordPress (up to 3.15.0.1) with a high severity SQL injection vulnerability (CVSS 7.5). Update to version 3.15.0.2 to mitigate the risk of unauthorized data access.
May 17, 2026
CVE-2026-42653: Affiliate Program Suite — SliceWP Affiliates <= 1.2.6 – Unauthenticated Stored Cross-Site Scripting (slicewp)
CVE-2026-42653 affects the SliceWP Affiliates plugin (up to v1.2.6) with a CVSS score of 7.2, exposing users to stored XSS attacks. Upgrade to v1.2.7 to mitigate this high-severity vulnerability.
May 17, 2026
CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (wc-hkdigital-acba-gateway)
CVE-2024-13362 affects the Wc Hkdigital Acba Gateway plugin (v1.2.6) with a medium severity CVSS score of 6.1. Ensure you patch to mitigate the reflected cross-site scripting risk from unauthenticated attackers.
May 17, 2026
CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (text-to-audio)
CVE-2024-13362 affects the Text To Audio plugin (v1.7.34) with a medium severity (CVSS 6.1) cross-site scripting vulnerability. Users should update to v1.8.12 to mitigate risks from potential script injection attacks.
May 17, 2026
CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (dynamic-copyright-year)
CVE-2024-13362 affects the Dynamic Copyright Year plugin (v1.0.4) with a medium severity (CVSS 6.1) reflected XSS vulnerability. Ensure to update to the patched version to mitigate potential attacks.
May 17, 2026
CVE-2026-3004: Snow Monkey Blocks <= 24.1.11 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'data-slick' Attribute (snow-monkey-blocks)
CVE-2026-3004 affects the Snow Monkey Blocks plugin for WordPress, with a CVSS score of 6.4. Users should upgrade to version 24.1.12 to mitigate the Stored Cross-Site Scripting vulnerability.
May 17, 2026
CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (auto-install-free-ssl)
CVE-2024-13362 affects the Auto Install Free Ssl plugin (v4.5.0) with a medium severity CVSS score of 6.1 due to cross-site scripting. Users should update to v4.5.1 to mitigate potential attacks.
May 17, 2026
CVE-2026-3140: Ultimate Dashboard <= 3.8.14 – Cross-Site Request Forgery to Module Activation/Deactivation (ultimate-dashboard)
CVE-2026-3140 affects the Ultimate Dashboard plugin for WordPress (up to 3.8.14) with a medium severity (CVSS 4.3) CSRF vulnerability. Upgrade to 3.8.15 to mitigate the risk of unauthorized module toggling.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet — inspecting, filtering, and blocking malicious traffic before it ever reaches
your application.