AI-Powered CVE Analysis for WordPress Plugins
We use AI to automate the differential analysis between vulnerable and patched plugin versions to understand and interpret the security issues. What we share here is research-grade proof of concept demonstrations that are then fed back into our endpoint firewall service.
WordPress Proof of Concepts
AI-assisted vulnerability analysis with PoC demonstration
May 16, 2026
CVE-2026-25468: Happy Addons for Elementor <= 3.20.8 – Unauthenticated Information Exposure (happy-elementor-addons)
CVE-2026-25468 affects the Happy Elementor Addons plugin (up to version 3.20.8) with a CVSS score of 5.3. Unauthenticated attackers can access sensitive data, so update to version 3.21.0 to mitigate this risk.
May 16, 2026
CVE-2026-27329: YITH WooCommerce Wishlist <= 4.12.0 – Unauthenticated Insecure Direct Object Reference (yith-woocommerce-wishlist)
CVE-2026-27329 affects the YITH WooCommerce Wishlist plugin (up to v4.12.0) with a medium severity CVSS score of 5.3. Unauthenticated attackers can exploit this remote code execution vulnerability, so upgrade to v4.13.0 to mitigate risks.
May 16, 2026
CVE-2026-42664: AI Product Search for WooCommerce – Motive Commerce Search <= 1.38.2 – Missing Authorization (motive-commerce-search)
CVE-2026-42664 affects the Motive Commerce Search plugin for WordPress (up to version 1.38.2), allowing remote code execution due to a missing capability check. Update to version 1.38.3 to mitigate this medium severity vulnerability.
May 16, 2026
CVE-2026-40798: wpForo Forum <= 3.0.4 – Unauthenticated SQL Injection (wpforo)
CVE-2026-40798 affects the wpForo plugin for WordPress (up to v3.0.4) with a CVSS score of 7.5. This high-severity SQL injection allows unauthenticated access to sensitive data. Update to v3.0.5 to mitigate risks.
May 16, 2026
CVE-2026-25436: Royal Addons for Elementor – Addons and Templates Kit for Elementor < 1.7.1053 – Missing Authorization (royal-elementor-addons)
CVE-2026-25436 affects the Royal Elementor Addons plugin (up to version 1.7.1053) with a CVSS score of 5.3. It allows unauthorized access due to missing capability checks; update to the patched version to mitigate risks.
May 16, 2026
CVE-2026-27421: Royal Addons for Elementor – Addons and Templates Kit for Elementor < 1.7.1053 – Authenticated (Contributor+) Stored Cross-Site Scripting (royal-elementor-addons)
CVE-2026-27421 affects the Royal Elementor Addons plugin (up to version 1.7.1053) with a medium severity (CVSS 6.4) Stored XSS vulnerability. Ensure you update to the patched version to mitigate potential attacks.
May 16, 2026
CVE-2025-68060: Team Members – Multi Language Supported Team Plugin <= 8.5 – Authenticated (Editor+) SQL Injection (team-showcase-supreme)
CVE-2025-68060 affects the Team Showcase Supreme plugin for WordPress (up to version 8.5) with a medium severity CVSS score of 4.9. Authenticated attackers can exploit SQL Injection to access sensitive data; update to version 8.6.
May 16, 2026
CVE-2026-27415: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net <= 1.1.5 – Cross-Site Request Forgery (woo-bulk-editor)
CVE-2026-27415 affects the Woo Bulk Editor plugin for WordPress (up to version 1.1.5) with a medium severity (CVSS 4.3) CSRF vulnerability. Ensure to update to the patched version to mitigate unauthorized actions.
May 16, 2026
CVE-2025-68604: WPGraphQL <= 2.5.3 – Cross-Site Request Forgery (wp-graphql)
CVE-2025-68604 affects the WP GraphQL plugin (up to 2.5.3) with a medium severity (CVSS 4.3) due to cross-site request forgery. Update to version 2.5.4 to mitigate unauthorized actions.
May 16, 2026
CVE-2026-27416: PDF Poster – Display PDF Files with Custom Viewer <= 2.4.1 – Missing Authorization (pdf-poster)
CVE-2026-27416 affects the PDF Poster plugin for WordPress (versions ≤ 2.4.1) with a CVSS score of 5.3. Update to version 2.5.0 to mitigate unauthorized access to sensitive post metadata.
May 16, 2026
CVE-2026-42773: eMagicOne Store Manager for WooCommerce <= 1.3.2 – Unauthenticated SQL Injection (store-manager-connector)
CVE-2026-42773 affects the Store Manager Connector plugin for WordPress (up to version 1.3.2) with a CVSS score of 7.5. Unauthenticated SQL injection can expose sensitive data; ensure you patch to mitigate this risk.
May 16, 2026
CVE-2025-68049: bunny.net – WordPress CDN Plugin <= 2.3.6 – Missing Authorization (bunnycdn)
CVE-2025-68049 affects the Bunnycdn WordPress plugin (up to version 2.3.6) with a medium severity (CVSS 4.3) vulnerability allowing unauthorized access. Update to version 2.3.7 to mitigate this risk.
May 16, 2026
CVE-2025-66105: Bus Ticket Booking with Seat Reservation < 5.6.8 – Missing Authorization (bus-ticket-booking-with-seat-reservation)
CVE-2025-66105 affects the Bus Ticket Booking with Seat Reservation plugin for WordPress (up to v5.6.8). This medium severity vulnerability allows unauthorized actions by unauthenticated users. Ensure you update to the patched version.
May 16, 2026
CVE-2025-62127: WEN Logo Slider <= 3.4.0 – Authenticated (Author+) Stored Cross-Site Scripting (wen-logo-slider)
CVE-2025-62127 affects the WEN Logo Slider plugin (up to v3.4.0) with a CVSS score of 6.4. This medium-severity XSS vulnerability allows authenticated users to inject scripts. Upgrade to v3.5 to mitigate risks.
May 15, 2026
CVE-2026-4029: Database Backup for WordPress <= 2.5.2 – Missing Authorization to Unauthenticated Database Export (wp-db-backup)
CVE-2026-4029 affects the Wp Db Backup plugin (up to version 2.5.2) with a high severity CVSS of 7.5, allowing unauthorized database exports. Update to version 2.5.3 to mitigate this vulnerability.
May 15, 2026
CVE-2025-4202: Multicollab: Content Team Collaboration and Editorial Workflow <= 5.2 – Missing Authorization to Authenticated (Subscriber+) Collaboration Comment (commenting-feature)
CVE-2025-4202 affects the Multicollab plugin for WordPress (up to version 5.2) with a CVSS score of 4.3. Authenticated users can exploit this to add comments to collaborations. Upgrade to version 5.3 to mitigate the risk.
May 15, 2026
CVE-2026-8681: Essential Chat Support <= 1.0.1 – Missing Authorization to Unauthenticated Settings Reset via 'ecs_reset_settings' Parameter (essential-chat-support)
CVE-2026-8681 affects the Essential Chat Support plugin (up to version 1.0.1) with a medium severity CVSS score of 5.3. Unauthenticated attackers can reset settings, highlighting the need for immediate patching or mitigation.
May 15, 2026
CVE-2026-6913: Shortcodely <= 1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'widget_area' Shortcode Attribute (shortcodely)
CVE-2026-6913 affects the Shortcodely plugin for WordPress (up to version 1.0.1) with a CVSS score of 6.4. It allows authenticated users to inject scripts, highlighting the need for immediate patching to mitigate risks.
May 15, 2026
CVE-2026-4609: ProfileGrid <= 5.9.8.4 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Group Joining (profilegrid-user-profiles-groups-and-communities)
CVE-2026-4609 affects the ProfileGrid User Profiles plugin (up to 5.9.8.4) with a CVSS score of 7.1. Authenticated attackers can join any group, including paid ones. Update to 5.9.8.5 to mitigate this high-severity vulnerability.
May 15, 2026
CVE-2026-6177: Custom Twitter Feeds <= 2.5.4 – Unauthenticated Stored Cross-Site Scripting via Cached Tweet Text (custom-twitter-feeds)
CVE-2026-6177 affects the Custom Twitter Feeds plugin for WordPress (up to version 2.5.4) with a CVSS score of 7.2. This high-severity XSS vulnerability allows unauthenticated attackers to inject scripts. Update to version 2.5.5 to...
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet — inspecting, filtering, and blocking malicious traffic before it ever reaches
your application.