AI-Powered CVE Analysis for WordPress Plugins
We use AI to automate the differential analysis between vulnerable and patched plugin versions to understand and interpret the security issues. What we share here is research-grade proof of concept demonstrations that are then fed back into our endpoint firewall service.
WordPress Proof of Concepts
AI-assisted vulnerability analysis with PoC demonstration
May 12, 2026
CVE-2026-7051: Blog2Social: Social Media Auto Post & Scheduler <= 8.9.0 – Missing Authorization to Authenticated (Subscriber+) Delete Arbitrary B2S Post Records via 'postId' Parameter (blog2social)
CVE-2026-7051 affects the Blog2Social plugin for WordPress versions up to 8.9.0, with a CVSS score of 5.4. Authenticated attackers can delete other users' posts; update to version 8.9.1 to mitigate this risk.
May 12, 2026
CVE-2025-9988: Broadstreet <= 1.53.1 – Missing Authorization to Authenticated (Subscriber+) Advertiser Creation (broadstreet)
CVE-2025-9988 affects the Broadstreet WordPress plugin (up to v1.53.1) with a CVSS score of 4.3. Authenticated attackers can create advertisers without proper checks. Update to v1.53.2 to mitigate this risk.
May 12, 2026
CVE-2026-1250: Court Reservation – Manage Your Court Bookings Online <= 1.10.11 – Unauthenticated SQL Injection (court-reservation)
CVE-2026-1250 affects the Court Reservation plugin for WordPress (up to 1.10.11) with a CVSS score of 7.5. Unauthenticated SQL injection can expose sensitive data; update to version 1.10.12 to mitigate risks.
May 12, 2026
CVE-2025-9989: Broadstreet <= 1.53.1 – Authenticated (Admin+) Stored Cross-Site Scripting (broadstreet)
CVE-2025-9989 affects the Broadstreet plugin for WordPress (up to 1.53.1) with a medium severity CVSS score of 4.4. Update to version 1.53.2 to mitigate Stored XSS risks from authenticated attackers.
May 12, 2026
CVE-2026-5371: MonsterInsights <= 10.1.2 – Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure And Plugin Integration Reset (google-analytics-for-wordpress)
CVE-2026-5371 affects the Google Analytics For WordPress plugin (up to version 10.1.2) with a CVSS score of 7.1. Authenticated attackers can access sensitive data; update to version 10.1.3 to mitigate risks.
May 12, 2026
CVE-2025-9987: Broadstreet <= 1.53.1 – Authenticated (Subscriber+) Information Disclosure (broadstreet)
CVE-2025-9987 affects the Broadstreet plugin for WordPress versions up to 1.53.1, exposing sensitive data to authenticated attackers. Upgrade to version 1.53.2 to mitigate this medium severity vulnerability (CVSS 5.3).
May 12, 2026
CVE-2026-7619: Charitable <= 1.8.10.4 – Authenticated (Custom+) SQL Injection via 's' Search Parameter (charitable)
CVE-2026-7619 affects the Charitable plugin for WordPress, versions up to 1.8.10.4, with a medium severity (CVSS 6.5). Patch to 1.8.10.5 to mitigate SQL injection risks in the donation management area.
May 12, 2026
CVE-2025-15463: Advanced Custom Fields: Extended <= 0.9.2.3 – Unauthenticated Arbitrary Shortcode Execution (acf-extended)
CVE-2025-15463 affects the ACF Extended plugin for WordPress, allowing unauthenticated remote code execution in versions up to 0.9.2.3. Upgrade to 0.9.2.4 to mitigate this medium severity vulnerability.
May 12, 2026
CVE-2026-3425: RTMKit Addons for Elementor <= 2.0.2 – Authenticated (Author+) Local File Inclusion via 'path' (rometheme-for-elementor)
CVE-2026-3425 affects the Rometheme For Elementor plugin (up to v2.0.2) with a CVSS score of 8.8. Authenticated attackers can exploit this authentication bypass to execute arbitrary PHP files. Upgrade to v2.0.3 to mitigate risks.
May 12, 2026
CVE-2026-6828: Fluent Forms <= 6.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'permission_message' Shortcode Attribute (fluentform)
CVE-2026-6828 affects the Fluent Forms plugin for WordPress (up to 6.2.1) with a CVSS score of 6.4. Authenticated attackers can exploit a stored XSS vulnerability. Update to version 6.2.2 to mitigate risks.
May 12, 2026
CVE-2026-4608: ProfileGrid <= 5.9.8.4 – Authenticated (Subscriber+) SQL Injection via 'rid' Parameter (profilegrid-user-profiles-groups-and-communities)
CVE-2026-4608 affects the ProfileGrid User Profiles plugin (up to version 5.9.8.4) with a medium severity CVSS score of 6.5. Patch to version 5.9.8.5 to mitigate SQL injection risks from authenticated attackers.
May 12, 2026
CVE-2026-3426: RTMKit Addons for Elementor <= 2.0.2 – Authenticated (Author+) Missing Authorization to Widget Configuration Modification (rometheme-for-elementor)
CVE-2026-3426 affects Rometheme For Elementor plugin versions up to 2.0.2, allowing authenticated attackers to modify site-wide widget settings. Upgrade to version 2.0.3 to mitigate this medium severity vulnerability.
May 12, 2026
CVE-2026-4607: ProfileGrid <= 5.9.8.4 – Missing Authorization to Authenticated (Subscriber+) Group Settings Modification (profilegrid-user-profiles-groups-and-communities)
CVE-2026-4607 affects the ProfileGrid User Profiles plugin (up to 5.9.8.4) with a CVSS score of 4.3. Authenticated attackers can bypass authorization to alter group settings. Update to 5.9.8.5 to mitigate this risk.
May 11, 2026
CVE-2026-6800: FastBots <= 1.0.12 – Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings (fastbots-ai-chatbots)
CVE-2026-6800 affects the Fastbots Ai Chatbots plugin (up to 1.0.12) with a medium severity score of 4.4. Authenticated attackers can exploit stored XSS vulnerabilities, impacting user security. Patching is essential.
May 11, 2026
CVE-2026-3604: WP SEO Structured Data Schema <= 2.8.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via '_kcseo_ative_tab' Parameter (wp-seo-structured-data-schema)
CVE-2026-3604 affects the WP SEO Structured Data Schema plugin (up to v2.8.1) with a CVSS score of 4.9. Authenticated attackers can exploit this stored XSS vulnerability, so ensure you update to the patched version.
May 11, 2026
CVE-2026-1934: Motors – Car Dealership & Classified Listings Plugin <= 1.4.103 – Missing Authorization to Authenticated (Subscriber+) Payment Bypass via 'stm_payment_status' Parameter (motors-car-dealership-classified-listings)
CVE-2026-1934 affects the Motors Car Dealership Classified Listings plugin, allowing authenticated users to bypass payment verification. Update to version 1.4.104 to mitigate this medium severity vulnerability.
May 11, 2026
CVE-2026-6813: Continually <= 4.3.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via 'continually_embed_code' Parameter (continually)
CVE-2026-6813 affects the Continually plugin for WordPress (up to version 4.3.1) with a medium severity CVSS score of 4.4. Authenticated attackers can exploit stored XSS, emphasizing the need for prompt patching or WAF implementation.
May 11, 2026
CVE-2026-4663: iPOSpays Gateways WC <= 1.3.7 – Unauthenticated Missing Authorization to Settings Update via REST API Endpoint (ipospays-gateways-wc)
CVE-2026-4663 affects the Ipospays Gateways WC plugin (up to version 1.3.7) with a CVSS score of 5.3. Unauthenticated attackers can overwrite critical payment settings. Update to the patched version to mitigate risks.
May 11, 2026
CVE-2026-4301: Rate Star Review Vote <= 1.6.4 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Modification via 'rating_id' Parameter (rate-star-review)
CVE-2026-4301 affects the Rate Star Review plugin (v1.6.4 and earlier) with a medium severity (CVSS 4.3) authentication bypass. Authenticated attackers can modify arbitrary posts, so patching is crucial.
May 11, 2026
CVE-2026-2300: BJ Lazy Load <= 1.0.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Custom HTML Block (bj-lazy-load)
CVE-2026-2300 affects the BJ Lazy Load plugin for WordPress (up to version 1.0.9) with a medium severity (CVSS 6.4) Stored XSS vulnerability. Ensure to patch or implement WAF rules to mitigate potential attacks.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet — inspecting, filtering, and blocking malicious traffic before it ever reaches
your application.