AI-Powered CVE Analysis for WordPress Plugins
We use AI to automate the differential analysis between vulnerable and patched plugin versions to understand and interpret the security issues. What we share here is research-grade proof of concept demonstrations that are then fed back into our endpoint firewall service.
WordPress Proof of Concepts
AI-assisted vulnerability analysis with PoC demonstration
May 15, 2026
CVE-2025-14767: WPC Badge Management for WooCommerce <= 3.1.6 – Authenticated (Shop Manager+) Stored Cross-Site Scripting via 'text' Attribute (wpc-badge-management)
CVE-2025-14767 affects the WPC Badge Management plugin (up to 3.1.6) with a CVSS score of 5.5. Authenticated attackers can exploit a cross-site scripting flaw. Upgrade to version 3.1.7 to mitigate this risk.
May 15, 2026
CVE-2026-6708: HEL Online Classroom: AI-powered Online Classrooms <= 1.0.3 – Missing Authorization to Unauthenticated Arbitrary Classroom Deletion via 'id' Parameter (hel-online-classroom)
CVE-2026-6708 affects the HEL Online Classroom plugin (up to v1.0.3) with a CVSS score of 5.3. Unauthenticated attackers can delete classroom records, leading to data loss. Update to the patched version to mitigate this risk.
May 15, 2026
CVE-2026-6710: Skysa Text Ticker App <= 1.4 – Cross-Site Request Forgery to Settings Modification via 'Save Settings' Form (skysa-text-ticker-app)
CVE-2026-6710 affects the Skysa Text Ticker App plugin for WordPress (up to version 1.4) with a CVSS score of 4.3. Unauthenticated attackers can exploit this CSRF vulnerability, so patching is essential.
May 15, 2026
CVE-2026-6709: Coinbase Commerce for Contact Form 7 <= 1.1.2 – Missing Authorization to Authenticated (Subscriber+) API Key Modification via 'cccf7_api_key' Parameter (coinbase-commerce-for-contact-form-7)
CVE-2026-6709 affects the Coinbase Commerce for Contact Form 7 plugin (v1.1.2 and lower), allowing authenticated attackers to overwrite API keys due to missing authorization. Update to the patched version to mitigate this risk.
May 15, 2026
CVE-2026-7635: coreActivity: Activity Logging for WordPress <= 3.0 – Unauthenticated PHP Object Injection via 'user_agent' Log Meta Field (coreactivity)
CVE-2026-7635 affects the Coreactivity plugin for WordPress (versions up to 3.0) with a CVSS score of 8.1. Unauthenticated attackers can exploit this vulnerability to cause a Denial of Service. Upgrade to version 3.1 to mitigate.
May 15, 2026
CVE-2026-5715: Voyage Plus <= 1.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'post-content' Shortcode (voyage-plus)
CVE-2026-5715 affects the Voyage Plus plugin for WordPress (up to version 1.0.6) with a medium severity CVSS score of 6.4. Authenticated users can exploit a stored XSS vulnerability, so patching is essential.
May 15, 2026
CVE-2026-5340: Fancy Image Show <= 9.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes (fancy-image-show)
CVE-2026-5340 affects the Fancy Image Show plugin for WordPress (up to v9.1), allowing authenticated users to inject stored XSS. Patch now to mitigate risks associated with this medium-severity vulnerability (CVSS 6.4).
May 15, 2026
CVE-2026-5693: Smart Appointment & Booking <= 1.0.8 – Missing Authorization to Unauthenticated Arbitrary Booking Cancellation (smart-appointment-booking)
CVE-2026-5693 affects the Smart Appointment Booking plugin (versions
May 15, 2026
CVE-2026-7661: Bootstrap Shortcode <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'box' Shortcode (bootstrap-shortcode)
CVE-2026-7661 affects the Bootstrap Shortcode plugin for WordPress (up to version 1.0) with a CVSS score of 6.4. Authenticated attackers can exploit stored XSS vulnerabilities, so ensure proper patching and input sanitization.
May 15, 2026
CVE-2026-7659: Advanced Social Media Icons <= 1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'social' Shortcode (advanced-social-media-icons)
CVE-2026-7659 affects the Advanced Social Media Icons plugin (up to v1.2) with a medium severity CVSS score of 6.4. Authenticated attackers can exploit this XSS vulnerability, so ensure you update to the patched version.
May 15, 2026
CVE-2026-5028: Eight Day Week Print Workflow <= 1.2.6 – Authenticated (Subscriber+) SQL Injection via 'title' Parameter (eight-day-week-print-workflow)
CVE-2026-5028 affects the Eight Day Week Print Workflow plugin for WordPress (up to version 1.2.6) with a medium severity (CVSS 6.5) SQL injection flaw. Update to version 1.3.0 to mitigate risks of data exposure.
May 15, 2026
CVE-2026-6690: LifePress <= 2.2.2 – Unauthenticated Stored Cross-Site Scripting via 'n' Parameter via lp_update_mds AJAX Action (lifepress)
CVE-2026-6690 affects the LifePress plugin for WordPress (up to version 2.2.2) with a CVSS score of 7.2. This high-severity stored XSS vulnerability requires immediate patching to prevent unauthorized script injection.
May 15, 2026
CVE-2026-6256: Credits Shortcode <= 1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'link' Shortcode Attribute (source-shortcode)
CVE-2026-6256 affects the Source Shortcode plugin for WordPress (v1.2 and earlier) with a CVSS score of 6.4. Authenticated users can exploit it for Stored XSS, highlighting the need for immediate patching.
May 14, 2026
CVE-2026-6403: Quick Playground <= 1.3.3 – Unauthenticated Path Traversal to Arbitrary File Read via 'stylesheet' Parameter (quick-playground)
CVE-2026-6403 affects the Quick Playground plugin for WordPress (up to version 1.3.3) with a high severity CVSS score of 7.5. Users should upgrade to version 1.3.4 to mitigate the risk of unauthenticated path traversal vulnerabilities.
May 14, 2026
CVE-2026-6228: Frontend Admin by DynamiApps <= 3.28.36 – Unauthenticated Privilege Escalation via Edit User Form (acf-frontend-form-element)
CVE-2026-6228 affects the ACF Frontend Form Element plugin for WordPress (up to version 3.28.36) with a CVSS score of 8.8. It allows unauthenticated privilege escalation; update to version 3.29.1 to mitigate.
May 14, 2026
CVE-2026-7046: NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.12 – Authenticated (Administrator+) SQL Injection via 'table' Parameter (nex-forms-express-wp-form-builder)
CVE-2026-7046 affects the Nex Forms Express WP Form Builder plugin (up to version 9.1.12) with a CVSS score of 4.9. Authenticated admins can exploit a SQL injection vulnerability, so update to version 9.1.13 to mitigate risks.
May 14, 2026
CVE-2026-7563: Classified Listing <= 5.3.10 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via add_order_note and send_email_to_user_by_moderator AJAX Actions (classified-listing)
CVE-2026-7563 affects the Classified Listing plugin for WordPress (up to version 5.3.10), allowing authenticated users to add unauthorized order notes. Upgrade to version 5.4.0 to mitigate this medium-severity vulnerability.
May 14, 2026
CVE-2026-8425: Notify Odoo <= 1.0.1 – Cross-Site Request Forgery to Settings Update (notify-odoo)
CVE-2026-8425 affects the Notify Odoo plugin for WordPress (up to 1.0.1) with a medium severity (CVSS 4.3) CSRF vulnerability. Unauthenticated attackers can alter plugin settings, so ensure you update to the patched version.
May 14, 2026
CVE-2026-5229: Receive Notifications After Form Submitting – Form Notify for Any Forms <= 1.1.10 – Unauthenticated Authentication Bypass via LINE OAuth Callback (form-notify)
CVE-2026-5229 affects the Form Notify plugin for WordPress (up to v1.1.10) with a critical CVSS score of 9.8. Unauthenticated attackers can bypass authentication via LINE OAuth. Update to v1.1.11 to mitigate this risk.
May 14, 2026
CVE-2026-4094: FOX – Currency Switcher Professional for WooCommerce <= 1.4.5 – Missing Authorization to Authenticated (Contributor+) Configuration Deletion (woocommerce-currency-switcher)
CVE-2026-4094 affects the Woocommerce Currency Switcher plugin (up to v1.4.5) with a CVSS score of 8.1. Authenticated attackers can exploit this high-severity CSRF vulnerability to delete multi-currency configurations. Patching is...
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet — inspecting, filtering, and blocking malicious traffic before it ever reaches
your application.