AI-Powered CVE Analysis for WordPress Plugins
We use AI to automate the differential analysis between vulnerable and patched plugin versions to understand and interpret the security issues. What we share here is research-grade proof of concept demonstrations that are then fed back into our endpoint firewall service.
WordPress Proof of Concepts
AI-assisted vulnerability analysis with PoC demonstration
May 11, 2026
CVE-2026-4920: Next Date <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'default' Shortcode Attribute (nextdate)
CVE-2026-4920 affects the Next Date plugin for WordPress (up to version 1.0) with a CVSS score of 6.4. Authenticated attackers can exploit this cross-site scripting vulnerability, so ensure timely patching and mitigation.
May 11, 2026
CVE-2026-2993: AI Chatbot & Workflow Automation by AIWU <= 1.4.17 – Unauthenticated SQL Injection in getListForTbl() (ai-copilot-content-generator)
CVE-2026-2993 affects the Ai Copilot Content Generator plugin (up to v1.4.17) with a high severity SQL injection vulnerability (CVSS 7.5). Unauthenticated attackers can exploit this flaw to access sensitive database information...
May 11, 2026
CVE-2026-4859: SP Blog Designer <= 1.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'design' Attribute (sp-blog-designer)
CVE-2026-4859 affects the SP Blog Designer plugin for WordPress (up to 1.0.0) with a medium severity CVSS score of 6.4. Authenticated attackers can exploit stored XSS vulnerabilities, so ensure timely patching or WAF coverage.
May 11, 2026
CVE-2026-6932: Woo Commerce Minimum Weight <= 3.0.1 – Cross-Site Request Forgery via Settings Update Form (woo-commerce-min-weight)
CVE-2026-6932 affects the Woo Commerce Min Weight plugin (up to v3.0.1) with a medium severity (CVSS 4.3) CSRF vulnerability. Ensure you update to the patched version to mitigate unauthorized changes to order weight settings.
May 11, 2026
CVE-2026-7437: AzonPost <= 1.3 – Reflected Cross-Site Scripting (azonpost)
CVE-2026-7437 affects the AzonPost plugin for WordPress (up to version 1.3) with a medium severity CVSS score of 6.1. Unauthenticated attackers can exploit this XSS vulnerability, so patching is essential.
May 11, 2026
CVE-2026-7464: WP Google Maps Integration <= 1.2 – Reflected Cross-Site Scripting via 'page' Parameter (wp-google-maps-integration)
CVE-2026-7464 affects the WP Google Maps Integration plugin (up to v1.2) with a medium severity CVSS score of 6.1. Unauthenticated attackers can exploit this XSS vulnerability, so patching is essential to mitigate risks.
May 11, 2026
CVE-2026-6663: GWD Connect <= 2.9 – Unauthenticated Limited Code Execution via update_agent (graphic-web-design-inc)
CVE-2026-6663 affects the Graphic Web Design Inc plugin (version 2.9) with a medium severity (CVSS 4.8) vulnerability allowing unauthenticated remote code execution. Users should patch to secure installations.
May 11, 2026
CVE-2026-7616: Zawgyi Embed <= 2.1.1 – Cross-Site Request Forgery via 'zawgyi_forceCSS' Parameter (zawgyi-embed)
CVE-2026-7616 affects the Zawgyi Embed plugin for WordPress (up to version 2.1.1) with a medium severity (CVSS 4.3) CSRF vulnerability. Ensure you update to the patched version to mitigate potential unauthorized changes.
May 11, 2026
CVE-2026-7626: Slek Gateway for WooCommerce <= 1.0 – Unauthenticated Insufficiently Protected Credentials via Payment Redirect Form Hidden Fields (slek-gateway-for-woocommerce)
CVE-2026-7626 affects the Slek Gateway for WooCommerce plugin (v1.0) with a CVSS score of 5.3. This medium severity vulnerability exposes API credentials, allowing unauthenticated users to access sensitive information. Patching is...
May 11, 2026
CVE-2026-6808: Pricing Tables for WP <= 1.1.0 – Reflected Cross-Site Scripting via 'page' Parameter (awesome-pricing-tables-lite-by-optimalplugins)
CVE-2026-6808 affects Awesome Pricing Tables Lite (v1.1.0 and earlier) with a CVSS score of 6.1. This medium severity reflected XSS vulnerability allows unauthenticated attackers to inject scripts via the 'page' parameter. Patching is...
May 11, 2026
CVE-2026-7562: WP-Redirection <= 1.0.3 – Cross-Site Request Forgery to Settings Update (wp-redirection)
CVE-2026-7562 affects the WP-Redirection plugin (up to version 1.0.3) with a medium severity CVSS score of 4.3. Unauthenticated attackers can exploit this CSRF vulnerability, so ensure proper mitigation measures are in place.
May 11, 2026
CVE-2026-7561: Tm – WordPress Redirection <= 1.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting (tm-wordpress-redirection)
CVE-2026-7561 affects the Tm WordPress Redirection plugin (up to version 1.2) with a CVSS score of 6.1. This medium severity CSRF vulnerability allows unauthenticated attackers to inject scripts if an admin is tricked into clicking a link.
May 11, 2026
CVE-2026-7050: Forms Rb <= 1.1.9 – Missing Authorization to Authenticated (Contributor+) Arbitrary Modification via 'form_id' Parameter (forms-rb)
CVE-2026-7050 affects the Forms Rb plugin for WordPress (up to version 1.1.9) with a CVSS score of 4.3. Authenticated attackers can bypass authorization, leading to unauthorized access to form data. Patching is essential.
May 10, 2026
CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (product-layouts)
CVE-2024-13362 affects the Product Layouts plugin (v1.3.1) with a medium severity CVSS score of 6.1. Users should upgrade to v1.3.5 to mitigate the reflected XSS vulnerability that allows script injection.
May 10, 2026
CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (send-users-email)
CVE-2024-13362 affects the Send Users Email plugin (v1.5.10) with a CVSS score of 6.1. This medium severity cross-site scripting vulnerability can be mitigated by updating to version 1.6.2.
May 10, 2026
CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (embedder-for-google-reviews)
CVE-2024-13362 affects the Embedder For Google Reviews plugin (v1.6.6) with a medium severity CVSS score of 6.1. Users should upgrade to v1.7.5 to mitigate the reflected XSS risk from unauthenticated attackers.
May 10, 2026
CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (dracula-dark-mode)
CVE-2024-13362 affects the Dracula Dark Mode plugin (v1.2.7) with a medium severity CVSS score of 6.1. Users should avoid clicking on suspicious links and update to the patched version to mitigate cross-site scripting risks.
May 10, 2026
CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (wc-cashapp)
CVE-2024-13362 affects the Wc Cashapp plugin (v6.0.2) with a medium severity (CVSS 6.1) reflected XSS vulnerability. Update to v6.0.3.1 to mitigate risks from potential attacks via unsanitized URL parameters.
May 10, 2026
CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (smart-phone-field-for-gravity-forms)
CVE-2024-13362 affects the Smart Phone Field For Gravity Forms plugin (v2.1.6) with a medium severity CVSS of 6.1. Users should update to v2.2.0 to mitigate the reflected cross-site scripting risk.
May 10, 2026
CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (mapster-wp-maps)
CVE-2024-13362 affects Mapster WP Maps (v1.9.0) with a medium severity CVSS score of 6.1. Unauthenticated attackers can exploit this XSS vulnerability. Update to v1.21.0 to mitigate risks.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet — inspecting, filtering, and blocking malicious traffic before it ever reaches
your application.