AI-Powered CVE Analysis for WordPress Plugins
We use AI to automate the differential analysis between vulnerable and patched plugin versions to understand and interpret the security issues. What we share here is research-grade proof of concept demonstrations that are then fed back into our endpoint firewall service.
WordPress Proof of Concepts
AI-assisted vulnerability analysis with PoC demonstration
2026-01-06
CVE-2025-14130: Post Like Dislike <= 1.0 – Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] (post-like-dislike)
The Post Like Dislike plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a…
2026-01-06
CVE-2025-13801: Yoco Payments <= 3.9.0 – Unauthenticated Arbitrary File Read (yoco-payment-gateway)
The Yoco Payments plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 3.9.0 via the file parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
2026-01-06
CVE-2025-14147: Easy GitHub Gist Shortcodes <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute (easy-github-gist-shortcodes)
The Easy GitHub Gist Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the gist shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts…
2026-01-06
CVE-2025-14070: Reviewify <= 1.0.7 – Missing Authorization to Authenticated (Contributor+) Arbitrary WooCommerce Coupon Creation (review-for-discount)
The Reviewify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'send_test_email' AJAX action in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Contributor-level access and above, to create arbitrary WooCommerce discount coupons, potentially causing financial loss to the…
2026-01-06
CVE-2025-14118: Starred Review <= 1.4.2 – Reflected Cross-Site Scripting via PHP_SELF Variable (starred-review)
The Starred Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the PHP_SELF variable in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user…
2026-01-06
CVE-2025-14465: Sticky Action Buttons <= 1.1 – Cross-Site Request Forgery to Plugin Settings Update (sticky-action-buttons)
The Sticky Action Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the sabs_options_page_form_submit() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site…
2026-01-06
CVE-2025-13848: STM Gallery 1.9 <= 0.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes (stm-gallery)
The STM Gallery 1.9 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'composicion' parameter in all versions up to, and including, 0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute…
2026-01-06
CVE-2025-14626: QR Code for WooCommerce order emails, PDF invoices, packing slips <= 1.9.42 – Authenticated (Contributor+) Cross-Site Scripting via Shortcode Attributes (qr-code-tag-for-wc-from-goaskle-com)
The QR Code for WooCommerce order emails, PDF invoices, packing slips plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in all versions up to, and including, 1.9.42 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and…
2026-01-06
CVE-2025-14057: Multi-column Tag Map <= 17.0.39 – Authenticated (Administrator+) Stored Cross-Site Scripting via 'mctm_css_conditional' Parameter (multi-column-tag-map)
The Multi-column Tag Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 17.0.39 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever…
2026-01-06
CVE-2025-14113: Viitor Button Shortcodes <= 3.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'link' Shortcode Attribute (viitor-shortcodes)
The Viitor Button Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' shortcode attribute in all versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will…
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet — inspecting, filtering, and blocking malicious traffic before it ever reaches
your application.