AI-Powered CVE Analysis for WordPress Plugins
We use AI to automate the differential analysis between vulnerable and patched plugin versions to understand and interpret the security issues. What we share here is research-grade proof of concept demonstrations that are then fed back into our endpoint firewall service.
WordPress Proof of Concepts
AI-assisted vulnerability analysis with PoC demonstration
2026-01-06
CVE-2025-14145: Niche Hero | Beautifully-designed blocks in seconds <= 1.0.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'spacing' Shortcode Attribute (niche-hero)
The Niche Hero | Beautifully-designed blocks in seconds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'spacing' parameter of the nh_row shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject…
2026-01-06
CVE-2025-14122: AD Sliding FAQ <= 2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes (ad-sliding-faq)
The AD Sliding FAQ plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sliding_faq' shortcode in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in…
2026-01-06
CVE-2025-15058: Responsive Pricing Table <= 5.1.12 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'table_currency' (dk-pricr-responsive-pricing-table)
The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'table_currency' parameter in all versions up to, and including, 5.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute…
2026-01-06
CVE-2025-13418: Responsive Pricing Table <= 5.1.12 – Authenticated (Author+) Stored Cross-Site Scripting (dk-pricr-responsive-pricing-table)
The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'plan_icons' parameter in all versions up to, and including, 5.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute…
2026-01-06
CVE-2025-14796: My Album Gallery <= 1.0.4 – Authenticated (Author+) Stored Cross-Site Scripting via Image Title (my-album-gallery)
The My Album Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image titles in all versions up to, and including, 1.0.4. This is due to insufficient input sanitization and output escaping on the 'attachment->title' attribute. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts…
2026-01-06
CVE-2025-14453: My Album Gallery <= 1.0.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'style_css' Shortcode Attribute (my-album-gallery)
The My Album Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style_css' shortcode attribute in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will…
2026-01-06
CVE-2025-13974: Email Customizer for WooCommerce | Drag and Drop Email Templates Builder <= 2.6.7 – Authenticated (Administrator+) Stored Cross-Site Scripting via Email Template Content (email-customizer-for-woocommerce)
The Email Customizer for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email template content in all versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in email templates that will execute…
2026-01-06
CVE-2025-13849: Cool YT Player <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes (cool-yt-player)
The Cool YT Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'videoid' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute…
2026-01-06
CVE-2025-14127: Testimonial Master <= 0.2.1 – Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] (testimonial-master)
The Testimonial Master plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user…
2026-01-06
CVE-2025-14112: Snillrik Restaurant <= 2.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'menu_style' Shortcode Attribute (snillrik-restaurant-menu)
The Snillrik Restaurant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'menu_style' shortcode attribute in all versions up to, and including, 2.3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute…
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet — inspecting, filtering, and blocking malicious traffic before it ever reaches
your application.