AI-Powered CVE Analysis for WordPress Plugins
We use AI to automate the differential analysis between vulnerable and patched plugin versions to understand and interpret the security issues. What we share here is research-grade proof of concept demonstrations that are then fed back into our endpoint firewall service.
WordPress Proof of Concepts
AI-assisted vulnerability analysis with PoC demonstration
2026-02-26
CVE-2026-28104: Site Suggest <= 1.3.9 – Missing Authorization (site-suggest)
The Site Suggest plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.3.9. This makes it possible for unauthenticated attackers to perform an unauthorized action.
2026-02-26
CVE-2026-28110: LambertGroup – AllInOne – Banner with Playlist <= 3.8 – Reflected Cross-Site Scripting (all-in-one-bannerWithPlaylist)
The LambertGroup - AllInOne - Banner with Playlist plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 3.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user…
2026-02-26
CVE-2026-28109: LambertGroup – AllInOne – Content Slider <= 3.8 – Reflected Cross-Site Scripting (all-in-one-contentSlider)
The LambertGroup - AllInOne - Content Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 3.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into…
2026-02-26
CVE-2026-28127: Lawyer Directory <= 1.3.2 – Unauthenticated Stored Cross-Site Scripting (lawyer-directory)
The Lawyer Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
2026-02-26
CVE-2026-28113: Ultimate Learning Pro <= 3.9.1 – Reflected Cross-Site Scripting (indeed-learning-pro)
The Ultimate Learning Pro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action…
2026-02-26
CVE-2026-28108: LambertGroup – AllInOne – Banner with Thumbnails <= 3.8 – Reflected Cross-Site Scripting (all-in-one-thumbnailsBanner)
The LambertGroup - AllInOne - Banner with Thumbnails plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 3.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user…
2026-02-26
CVE-2026-28115: WP Attractive Donations System – Easy Stripe & Paypal donations <= 1.25 – Unauthenticated SQL Injection (WP_AttractiveDonationsSystem)
The WP Attractive Donations System - Easy Stripe & Paypal donations plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.25 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional…
2026-02-26
CVE-2026-28112: AllInOne – Banner Rotator <= 3.8 – Reflected Cross-Site Scripting (all-in-one-bannerRotator)
The AllInOne - Banner Rotator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 3.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an…
2026-02-26
CVE-2026-28078: Directory Listings WordPress plugin – uListing <= 2.2.0 – Authenticated (Editor+) Arbitrary File Download (ulisting)
The Directory Listings WordPress plugin – uListing plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with Editor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
2026-02-26
CVE-2026-28135: Royal Addons for Elementor – Addons and Templates Kit for Elementor <= 1.7.1049 – Missing Authorization (royal-elementor-addons)
The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.7.1049. This makes it possible for unauthenticated attackers to perform an unauthorized action.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet — inspecting, filtering, and blocking malicious traffic before it ever reaches
your application.