AI-Powered CVE Analysis for WordPress Plugins
We use AI to automate the differential analysis between vulnerable and patched plugin versions to understand and interpret the security issues. What we share here is research-grade proof of concept demonstrations that are then fed back into our endpoint firewall service.
WordPress Proof of Concepts
AI-assisted vulnerability analysis with PoC demonstration
May 17, 2026
CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (inavii-social-feed-for-elementor)
CVE-2024-13362 affects Inavii Social Feed For Elementor (v2.7.0) with a medium severity CVSS of 6.1 due to reflected XSS. Upgrade to v2.7.7 to mitigate the risk of unauthorized script injection.
May 17, 2026
CVE-2026-40796: WPPizza – A Restaurant Plugin <= 3.19.9 – Authenticated (Subscriber+) Information Exposure (wppizza)
CVE-2026-40796 affects the WPPizza plugin for WordPress (up to version 3.19.9) with a CVSS score of 4.3. Authenticated attackers can expose sensitive data; users should upgrade to version 3.20 to mitigate this risk.
May 17, 2026
CVE-2026-3143: Total Upkeep <= 1.17.1 – Missing Authorization to Unauthenticated Rollback Cancellation (boldgrid-backup)
CVE-2026-3143 affects the Boldgrid Backup plugin for WordPress (up to version 1.17.1) with a CVSS score of 5.3. Unauthenticated attackers can cancel rollbacks, so update to version 1.17.2 to mitigate this risk.
May 17, 2026
CVE-2026-42774: JetEngine <= 3.8.8.1 – Unauthenticated SQL Injection (jet-engine)
CVE-2026-42774 affects the Jet Engine plugin for WordPress (up to version 3.8.8.1) with a CVSS score of 7.5. Unauthenticated SQL injection could expose sensitive data; ensure you update to the patched version.
May 17, 2026
CVE-2026-3772: WP Editor <= 1.2.9.2 – Cross-Site Request Forgery to Remote Code Execution via Plugin and Theme File Editor (wp-editor)
CVE-2026-3772 affects WP Editor plugin versions up to 1.2.9.2 with a CVSS score of 8.8. It allows unauthenticated attackers to exploit CSRF vulnerabilities. Upgrade to version 1.2.9.3 to mitigate this risk.
May 17, 2026
CVE-2026-42651: Classified Listing – AI-Powered Classified ads & Business Directory Plugin <= 5.3.9 – Missing Authorization (classified-listing)
CVE-2026-42651 affects the Classified Listing plugin for WordPress (up to version 5.3.9) with a CVSS score of 4.3. Patch to version 5.3.10 to prevent unauthorized access by authenticated users.
May 17, 2026
CVE-2026-42659: AFI – The Easiest Integration Plugin <= 1.126.12 – Missing Authorization (advanced-form-integration)
CVE-2026-42659 affects the Advanced Form Integration plugin for WordPress versions up to 1.126.12. This medium severity vulnerability allows authenticated users to perform unauthorized actions. Update to the latest version to mitigate...
May 17, 2026
CVE-2026-6127: Elementor Website Builder <= 4.0.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via REST API (elementor)
CVE-2026-6127 affects Elementor plugin versions up to 4.0.4, allowing authenticated users to exploit a medium severity XSS vulnerability. Users should update to version 4.0.5 to mitigate risks associated with this flaw.
May 17, 2026
CVE-2026-42650: AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress <= 5.6.7 – Unauthenticated Stored Cross-Site Scripting (automatorwp)
CVE-2026-42650 affects AutomatorWP plugin versions up to 5.6.7, with a CVSS score of 7.2. This high-severity XSS vulnerability allows unauthenticated attackers to inject scripts. Update to version 5.6.8 to mitigate risks.
May 17, 2026
CVE-2026-42640: Classified Listing – AI-Powered Classified ads & Business Directory Plugin <= 5.3.8 – Missing Authorization (classified-listing)
CVE-2026-42640 affects the Classified Listing plugin for WordPress versions up to 5.3.8, allowing unauthorized access due to missing capability checks. Update to version 5.3.9 to mitigate this medium severity vulnerability.
May 17, 2026
CVE-2026-42656: Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe <= 28.1.6 – Authenticated (Subscriber+) Stored Cross-Site Scripting (contest-gallery)
CVE-2026-42656 affects the Contest Gallery plugin (up to version 28.1.6) with a CVSS score of 6.4. Authenticated users can exploit this stored XSS vulnerability. Upgrade to version 29.0.0 to mitigate risks.
May 17, 2026
CVE-2026-42657: Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe <= 28.1.7 – Missing Authorization (contest-gallery)
CVE-2026-42657 affects the Contest Gallery plugin for WordPress (up to version 28.1.7) with a CVSS score of 5.3. Unauthenticated attackers can exploit this vulnerability, so update to version 29.0.0 to mitigate risks.
May 17, 2026
CVE-2026-42658: Classified Listing – AI-Powered Classified ads & Business Directory Plugin <= 5.3.8 – Unauthenticated Stored Cross-Site Scripting (classified-listing)
CVE-2026-42658 affects the Classified Listing plugin for WordPress (up to version 5.3.8) with a CVSS score of 7.2. Users should upgrade to version 5.3.9 to mitigate the risk of stored cross-site scripting attacks.
May 17, 2026
CVE-2025-15484: Order Notification for WooCommerce – Get Audio Alert on new Orders < 3.6.3 – Unauthenticated Remote Code Execution (woc-order-alert)
CVE-2025-15484 affects the Woc Order Alert plugin (up to 3.6.2) with a critical CVSS score of 9.8, allowing remote code execution. Ensure you update to version 3.6.3 to mitigate this vulnerability.
May 16, 2026
CVE-2026-6247: scratchblocks for WP <= 1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'element' Shortcode Attribute (scratchblocks-for-wp)
CVE-2026-6247 affects the Scratchblocks For WP plugin (up to version 1.0.1) with a CVSS score of 6.4. Authenticated users can exploit this XSS vulnerability. Update to the patched version to mitigate risks.
May 16, 2026
CVE-2026-4935: OttoKit: All-in-One Automation Platform < 1.1.23 – Unauthenticated SQL Injection (suretriggers)
CVE-2026-4935 affects the Suretriggers plugin for WordPress, with a CVSS score of 7.5. This high-severity SQL injection vulnerability allows unauthenticated attackers to access sensitive data. Ensure you update to version 1.1.23.
May 16, 2026
CVE-2026-6237: Quick Table <= 1.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'style' Shortcode Attribute (quick-table)
CVE-2026-6237 affects the Quick Table plugin for WordPress, allowing authenticated users to exploit stored XSS due to inadequate input sanitization. Users should update to the patched version to mitigate this medium severity risk.
May 16, 2026
CVE-2026-40799: Simple CAPTCHA Alternative with Cloudflare Turnstile <= 1.38.0 – Broken Authorization (simple-cloudflare-turnstile)
CVE-2026-40799 affects the Simple Cloudflare Turnstile plugin for WordPress (up to version 1.38.0) with a medium severity (CVSS 5.3). Unauthenticated attackers can bypass CAPTCHA verification; upgrade to 1.38.1 to mitigate.
May 16, 2026
CVE-2026-8719: AI Engine 3.4.9 – Authenticated (Subscriber+) Privilege Escalation via Missing Authorization in MCP OAuth Bearer Token (ai-engine)
CVE-2026-8719 affects the Ai Engine plugin for WordPress (up to version 3.4.9) with a CVSS score of 8.8. This high-severity remote code execution vulnerability allows privilege escalation for authenticated users. Update to version 3.5.0...
May 16, 2026
CVE-2026-42665: WP Data Access – App Builder for Tables, Forms, Charts, Maps & Dashboards <= 5.5.70 – Unauthenticated SQL Injection (wp-data-access)
CVE-2026-42665 affects the WP Data Access plugin (up to version 5.5.70) with a CVSS score of 7.5. This high-severity SQL injection vulnerability allows unauthenticated attackers to extract sensitive data. Update to version 5.5.71 to...
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet — inspecting, filtering, and blocking malicious traffic before it ever reaches
your application.