AI-Powered CVE Analysis for WordPress Plugins
We use AI to automate the differential analysis between vulnerable and patched plugin versions to understand and interpret the security issues. What we share here is research-grade proof of concept demonstrations that are then fed back into our endpoint firewall service.
WordPress Proof of Concepts
AI-assisted vulnerability analysis with PoC demonstration
May 13, 2026
CVE-2026-6512: InfusedWoo Pro <= 5.1.2 – Unauthenticated Missing Authorization to Arbitrary Post Deletion via Multiple Parameters (infusedwooPRO)
CVE-2026-6512 affects the InfusedWoo Pro plugin for WordPress (up to v5.1.2) with a critical CVSS score of 9.1. Unauthenticated attackers can delete posts and change statuses; patch immediately to mitigate risks.
May 13, 2026
CVE-2026-5193: Essential Addons for Elementor – Popular Elementor Templates & Widgets <= 6.5.13 – Authenticated (Author+) Limited Privilege Escalation via register_user (essential-addons-for-elementor-lite)
CVE-2026-5193 affects the Essential Addons For Elementor Lite plugin (up to v6.5.13), allowing privilege escalation for authenticated users. Update to v6.6.0 to mitigate this medium severity issue.
May 13, 2026
CVE-2026-3694: Bold Page Builder <= 5.6.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_button Shortcode (bold-page-builder)
CVE-2026-3694 affects the Bold Page Builder plugin (up to v5.6.8) with a medium severity CVSS score of 6.4. Authenticated attackers can exploit stored XSS vulnerabilities, so ensure to patch to the latest version.
May 13, 2026
CVE-2026-6510: InfusedWoo Pro <= 5.1.2 – Unauthenticated Missing Authorization to Privilege Escalation via 'iwar_save_recipe' (infusedwooPRO)
CVE-2026-6510 is a critical vulnerability (CVSS 9.8) in the InfusedWoo Pro plugin (versions
May 13, 2026
CVE-2026-6506: InfusedWoo Pro <= 5.1.2 – Authenticated (Subscriber+) Missing Authorization to Privilege Escalation via Arbitrary User Meta Update (infusedwooPRO)
CVE-2026-6506 affects the InfusedWoo Pro plugin for WordPress (up to v5.1.2) with a CVSS score of 8.8. Authenticated users can escalate privileges to administrator, making patching essential.
May 13, 2026
CVE-2026-6174: CC Child Pages <= 2.1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'more' Parameter (cc-child-pages)
CVE-2026-6174 affects the CC Child Pages plugin for WordPress (up to v2.1.1) with a medium severity (CVSS 6.4) due to Stored XSS. Update to v2.1.2 to mitigate the risk of unauthorized script injection.
May 13, 2026
CVE-2026-3718: ManageWP Worker <= 4.9.31 – Unauthenticated Stored Cross-Site Scripting via 'MWP-Key-Name' Header (worker)
CVE-2026-3718 affects the ManageWP Worker plugin for WordPress (up to version 4.9.31) with a CVSS score of 7.2. Patch to 4.9.32 to mitigate this high-severity stored XSS vulnerability.
May 13, 2026
CVE-2026-5395: Fluent Forms <= 6.2.0 – Authenticated (Subscriber+) Authorization Bypass via 'table' Parameter (fluentform)
CVE-2026-5395 affects the Fluentform plugin (up to version 6.2.0) with a CVSS score of 8.2. Authenticated users can bypass access restrictions. Update to version 6.2.1 to mitigate this high-severity authentication bypass vulnerability.
May 13, 2026
CVE-2026-5365: LatePoint <= 5.3.2 – Cross-Site Request Forgery via 'customer_cabinet__request_cancellation' AJAX Route (latepoint)
CVE-2026-5365 affects the LatePoint plugin for WordPress (up to 5.3.2) with a medium severity CVSS score of 4.3. Unauthenticated attackers can cancel bookings via forged requests; users should upgrade to version 5.4.0 to mitigate this risk.
May 13, 2026
CVE-2025-15345: MapGeo – Interactive Geo Maps <= 1.6.27 – Reflected Cross-Site Scripting via 'map' Parameter (interactive-geo-maps)
CVE-2025-15345 affects the Interactive Geo Maps plugin for WordPress (up to version 1.6.27) with a medium severity CVSS of 6.1. Users should update to version 1.6.28 to mitigate the risk of cross-site scripting attacks.
May 13, 2026
CVE-2026-6417: GLS Shipping for WooCommerce <= 1.4.0 – Reflected Cross-Site Scripting via 'failed_orders' (gls-shipping-for-woocommerce)
CVE-2026-6417 affects the GLS Shipping for WooCommerce plugin (up to v1.4.0) with a CVSS score of 6.1. Unauthenticated attackers can exploit a cross-site scripting flaw. Update to v1.4.1 to mitigate this risk.
May 13, 2026
CVE-2026-6271: Career Section <= 1.7 – Unauthenticated Arbitrary File Upload (career-section)
CVE-2026-6271 affects the Career Section plugin for WordPress (up to version 1.7) with a critical CVSS score of 9.8. Unauthenticated attackers can exploit this file upload vulnerability, so update to version 1.8 to mitigate risks.
May 13, 2026
CVE-2026-3892: Motors – Car Dealer, Classifieds & Listing <= 1.4.107 – Authenticated (Subscriber+) Arbitrary File Deletion via 'stm_dealer_logo_path' Parameter (motors-car-dealership-classified-listings)
CVE-2026-3892 affects the Motors Car Dealership Classified Listings plugin (up to 1.4.107) with a CVSS score of 8.1. Authenticated users can delete arbitrary files. Update to version 1.4.108 to mitigate this high-severity vulnerability.
May 12, 2026
CVE-2026-6965: Tutor LMS <= 3.9.9 – Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Post Deletion via 'course' GET Parameter (tutor)
CVE-2026-6965 affects the Tutor LMS plugin (up to 3.9.9) with a CVSS score of 5.3. Authenticated users can exploit this to delete or modify other instructors' course content. Upgrade to version 3.9.10 to mitigate risks.
May 12, 2026
CVE-2026-4798: Avada Builder <= 3.15.1 – Unauthenticated SQL Injection via 'product_order' Parameter (fusion-builder)
CVE-2026-4798 affects the Fusion Builder plugin for WordPress (up to 3.15.1) with a CVSS score of 7.5. This high-severity SQL injection can expose sensitive data. Users should update to the patched version to mitigate risks.
May 12, 2026
CVE-2026-6929: JoomSport <= 5.7.7 – Unauthenticated SQL Injection via 'sortf' Parameter (joomsport-sports-league-results-management)
CVE-2026-6929 affects the JoomSport plugin for WordPress (up to version 5.7.7) with a CVSS score of 7.5. This high-severity SQL injection vulnerability allows unauthenticated attackers to access sensitive database information.
May 12, 2026
CVE-2025-14033: ilGhera Support System for WooCommerce <= 1.3.0 – Missing Authorization to Unauthenticated Sensitive Information Exposure (wc-support-system)
CVE-2025-14033 affects the Wc Support System plugin (up to 1.3.0) with a CVSS score of 5.3. It allows unauthorized access to support ticket data. Update to version 1.3.1 to mitigate this remote code execution risk.
May 12, 2026
CVE-2026-4782: Avada Builder <= 3.15.2 – Authenticated (Subscriber+) Arbitrary File Read via 'custom_svg' Shortcode Parameter (fusion-builder)
CVE-2026-4782 affects the Fusion Builder plugin (up to version 3.15.2) with a CVSS score of 6.5. Authenticated attackers can read arbitrary files on the server. Upgrade to version 3.15.3 to mitigate this risk.
May 12, 2026
CVE-2025-14755: Cost Calculator Builder <= 4.0.1 – Unauthenticated Price Manipulation and Insecure Direct Object Reference (cost-calculator-builder)
CVE-2025-14755 affects the Cost Calculator Builder plugin for WordPress (up to 4.0.1), allowing unauthenticated price manipulation. Upgrade to 4.0.2 to mitigate this medium severity vulnerability.
May 12, 2026
CVE-2026-6962: Cost of Goods: Product Cost & Profit Calculator for WooCommerce <= 4.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting (cost-of-goods-for-woocommerce)
CVE-2026-6962 affects the Cost Of Goods For WooCommerce plugin (up to v4.1.0) with a medium severity CVSS of 6.4. It allows authenticated users to inject scripts, impacting site security. Update to the patched version to mitigate risks.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet — inspecting, filtering, and blocking malicious traffic before it ever reaches
your application.