AI-Powered CVE Analysis for WordPress Plugins
We use AI to automate the differential analysis between vulnerable and patched plugin versions to understand and interpret the security issues. What we share here is research-grade proof of concept demonstrations that are then fed back into our endpoint firewall service.
WordPress Proof of Concepts
AI-assisted vulnerability analysis with PoC demonstration
May 14, 2026
CVE-2026-4683: Smartcat Translator for WPML <= 3.1.77 – Missing Authorization to Unauthenticated Plugin Settings Update (smartcat-wpml)
CVE-2026-4683 affects the Smartcat WPML plugin (up to v3.1.77) with a CVSS score of 6.5. Unauthenticated attackers can overwrite API credentials. Upgrade to v3.1.78 to mitigate this vulnerability.
May 14, 2026
CVE-2026-6415: Advanced Custom Fields: Font Awesome Field <= 5.0.2 – Authenticated (Subscriber+) Stored Cross-Site Scripting via JSON Field (advanced-custom-fields-font-awesome)
CVE-2026-6415 affects the Advanced Custom Fields Font Awesome plugin (up to version 5.0.2) with a medium severity (CVSS 6.4) Stored XSS vulnerability. Update to version 6.0.0 to mitigate risks from potential script injections.
May 14, 2026
CVE-2026-5396: Fluent Forms <= 6.1.21 – Authenticated (Subscriber+) Authorization Bypass via 'form_id' Parameter (fluentform)
CVE-2026-5396 affects the Fluent Forms plugin for WordPress (up to 6.1.21) with a high severity (CVSS 8.2) authentication bypass vulnerability. Update to version 6.2.0 to mitigate risks of unauthorized access to form submissions.
May 14, 2026
CVE-2026-8181: Burst Statistics 3.4.0 – 3.4.1.1 – Authentication Bypass to Admin Account Takeover (burst-statistics)
CVE-2026-8181 affects the Burst Statistics plugin (versions 3.4.0 to 3.4.1.1) with a CVSS score of 9.8. Unauthenticated attackers can impersonate administrators, making immediate patching to version 3.4.2 essential.
May 14, 2026
CVE-2026-5361: Envira Gallery <= 1.12.4 – Authenticated (Author+) Stored Cross-Site Scripting via 'arrows' Parameter (envira-gallery-lite)
CVE-2026-5361 affects Envira Gallery Lite plugin versions up to 1.12.4, with a medium severity score of 6.4. Users should update to version 1.12.5 to mitigate stored cross-site scripting risks.
May 14, 2026
CVE-2026-42668: Omnisend for WooCommerce <= 1.18.0 – Unauthenticated Omnisend Account Takeover via Predictable Connect Token (omnisend-connect)
CVE-2026-42668 affects the Omnisend Connect plugin (v1.18.0) with a CVSS score of 7.5. Unauthenticated attackers can exploit a remote code execution flaw. Upgrade to v1.18.1 to mitigate account takeover risks.
May 14, 2026
CVE-2026-5486: Unlimited Elements For Elementor <= 2.0.7 – Authenticated (Contributor+) SQL Injection via 'filter_search' Parameter (unlimited-elements-for-elementor)
CVE-2026-5486 affects Unlimited Elements for Elementor (up to version 2.0.7) with a CVSS score of 6.5. This medium severity SQL injection vulnerability allows authenticated users to access sensitive database information. Patching is...
May 14, 2026
CVE-2026-5243: The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.4.11 – Authenticated (Contributor+) Stored Cross-Site Scripting via Navigation Menu Lite Widget (the-plus-addons-for-elementor-page-builder)
CVE-2026-5243 affects The Plus Addons for Elementor plugin (up to 6.4.11) with a medium severity XSS vulnerability. Users should update to version 6.4.12 to mitigate risks from authenticated attackers exploiting this flaw.
May 14, 2026
CVE-2026-4031: Database Backup for WordPress <= 2.5.2 – Missing Authorization to Unauthenticated Database Backup Interception (wp-db-backup)
CVE-2026-4031 affects the Wp Db Backup plugin (up to version 2.5.2) with a CVSS score of 7.5. Unauthenticated attackers can exploit this vulnerability to intercept sensitive database backups. Upgrade to version 2.5.3 to mitigate risks.
May 14, 2026
CVE-2026-3829: WP Encryption – One Click SSL & Force HTTPS <= 7.8.5.10 – Missing Authorization to Authenticated (Subscriber+) SSL Setup Tampering (wp-letsencrypt-ssl)
CVE-2026-3829 affects the WP Letsencrypt Ssl plugin (up to version 7.8.5.10) with a medium severity CVSS score of 5.4. Authenticated attackers can exploit this for remote code execution; update to version 7.8.5.11 to mitigate.
May 14, 2026
CVE-2026-7525: My Calendar <= 3.7.9 – Authenticated (Custom+) Missing Authorization to Unauthorized Event Publication via 'event_approved' Parameter (my-calendar)
CVE-2026-7525 affects the My Calendar plugin for WordPress (up to 3.7.9) with a medium severity (CVSS 4.3) authentication bypass. Update to version 3.7.10 to mitigate unauthorized event management.
May 14, 2026
CVE-2026-7648: LearnPress – WordPress LMS Plugin for Create and Sell Online Courses <= 4.3.5 – Authenticated (Subscriber+) Payment Bypass to Free Course Enrollment via 'quantity' Parameter (learnpress)
CVE-2026-7648 affects LearnPress plugin versions up to 4.3.5, allowing authenticated users to bypass payments for courses. Upgrade to version 4.3.6 to mitigate this medium severity vulnerability.
May 14, 2026
CVE-2026-4030: Database Backup for WordPress <= 2.5.2 – Missing Authorization to Unauthenticated Arbitrary File Read and Deletion (wp-db-backup)
CVE-2026-4030 affects the Wp Db Backup plugin (up to 2.5.2) with a CVSS score of 8.1. Unauthenticated attackers can read and delete server files. Update to version 2.5.3 to mitigate this risk.
May 13, 2026
CVE-2026-6504: Royal Addons for Elementor <= 1.7.1058 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'title_tag' Parameter (royal-elementor-addons)
CVE-2026-6504 affects the Royal Elementor Addons plugin (up to v1.7.1058) with a CVSS score of 6.4. This medium severity stored XSS vulnerability can be mitigated by updating to version 1.7.1059.
May 13, 2026
CVE-2026-6206: MW WP Form <= 5.1.2 – Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure via 'post_id' Query Parameter (mw-wp-form)
CVE-2026-6206 affects the MW WP Form plugin (up to version 5.1.2) with a medium severity (CVSS 5.3) vulnerability allowing data exposure from protected posts. Update to version 5.1.3 to mitigate this risk.
May 13, 2026
CVE-2026-6514: InfusedWoo Pro <= 5.1.2 – Unauthenticated Arbitrary File Read via 'url' Parameter (infusedwooPRO)
CVE-2026-6514 affects the InfusedWoo Pro plugin for WordPress (up to 5.1.2) with a CVSS score of 7.5. Unauthenticated attackers can exploit this file upload vulnerability, risking sensitive data. Update to the patched version to mitigate.
May 13, 2026
CVE-2026-6145: User Registration & Membership <= 5.1.5 – Unauthenticated Missing Authorization to Admin Approval Bypass via 'action' Parameter (user-registration)
CVE-2026-6145 affects the User Registration plugin for WordPress (up to 5.1.5) with a CVSS score of 5.3. Unauthenticated attackers can bypass admin approval for new accounts. Update to version 5.1.6 to mitigate this risk.
May 13, 2026
CVE-2026-6252: Meta Field Block <= 1.5.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'tagName' Block Attribute (display-a-meta-field-as-block)
CVE-2026-6252 affects the Display A Meta Field As Block plugin (up to v1.5.2) with a CVSS score of 6.4. Authenticated users can exploit this XSS vulnerability, so update to v1.5.3 to mitigate risks.
May 13, 2026
CVE-2026-6225: Taskbuilder – Project Management & Task Management Tool With Kanban Board <= 5.0.6 – Authenticated (Subscriber+) Time-Based Blind SQL Injection via 'project_search' Parameter (taskbuilder)
CVE-2026-6225 affects the Taskbuilder plugin for WordPress (v5.0.6 and below) with a CVSS score of 6.5. Authenticated users can exploit a SQL injection vulnerability, so update to v5.0.7 to mitigate risks.
May 13, 2026
CVE-2026-6670: Media Sync <= 1.4.9 – Authenticated (Author+) Path Traversal via 'sub_dir' and 'media_items' Parameters (media-sync)
CVE-2026-6670 affects the Media Sync plugin for WordPress (up to v1.4.9) with a medium severity (CVSS 6.5) Path Traversal vulnerability. Users should upgrade to v1.5.0 to mitigate risks from authenticated attacks.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet — inspecting, filtering, and blocking malicious traffic before it ever reaches
your application.