AI-Powered CVE Analysis for WordPress Plugins
We use AI to automate the differential analysis between vulnerable and patched plugin versions to understand and interpret the security issues. What we share here is research-grade proof of concept demonstrations that are then fed back into our endpoint firewall service.
WordPress Proof of Concepts
AI-assisted vulnerability analysis with PoC demonstration
June 13, 2026
CVE-2026-10580: Hippoo Mobile App for WooCommerce <= 1.9.4 Unauthenticated Authentication Bypass to Administrator Account Takeover via REST API PoC, Patch Analysis & Rule
CVE-2026-10580 reveals a critical authentication bypass in the Hippoo Mobile App for WooCommerce plugin (versions
June 13, 2026
CVE-2026-5411: WP Captcha PRO <= 5.38 Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload PoC, Patch Analysis & Rule
CVE-2026-5411 affects the Advanced Google Recaptcha plugin (up to version 5.38) with a CVSS score of 8.8. Authenticated users can exploit a file upload vulnerability for remote code execution. Patching is essential.
June 13, 2026
CVE-2026-8608: Event Monster <= 2.1.0 Unauthenticated Insufficient Verification of Data Authenticity to Payment Bypass via em_capture_payment AJAX Action PoC, Patch Analysis & Rule
CVE-2026-8608 affects the Event Monster plugin (up to v2.1.0) with a medium severity (CVSS 5.3) vulnerability. Unauthenticated attackers can forge payment records. Update to v2.1.1 to mitigate this risk.
June 13, 2026
CVE-2026-49078: WP Travel Engine – Tour Booking Plugin – Tour Operator Software <= 6.7.10 Missing Authorization PoC, Patch Analysis & Rule
CVE-2026-49078 affects WP Travel Engine plugin versions up to 6.7.10, allowing unauthorized access due to a missing capability check. Upgrade to version 6.7.11 to mitigate this medium severity vulnerability (CVSS 5.3).
June 13, 2026
CVE-2026-7654: Admin Columns <= 7.0.18 Authenticated (Contributor+) PHP Object Injection to Remote Code Execution via Custom Field Meta Value PoC, Patch Analysis & Rule
CVE-2026-7654 affects the Codepress Admin Columns plugin (up to version 7.0.18) with a CVSS score of 8.8. This high-severity vulnerability allows remote code execution; ensure to patch immediately.
June 13, 2026
CVE-2019-25738: Hybrid Composer <= 1.4.6 Missing Authorization PoC, Patch Analysis & Rule
CVE-2019-25738 affects the Hybrid Composer plugin for WordPress (up to version 1.4.6) with a medium severity CVSS score of 5.3. Unauthenticated attackers can exploit this vulnerability, so patching is essential.
June 13, 2026
CVE-2026-9290: WP User Manager <= 2.9.17 Unauthenticated Path Traversal to Local File Inclusion via 'tab' Query Parameter PoC, Patch Analysis & Rule
CVE-2026-9290 affects the WP User Manager plugin (up to 2.9.17) with a CVSS score of 7.5. This high-severity vulnerability allows unauthenticated Local File Inclusion, enabling attackers to execute arbitrary PHP code. Update to 2.9.18...
June 13, 2026
CVE-2026-49082: Chatway Live Chat – AI Chatbot, Customer Support, FAQ & Helpdesk Customer Service & Chat Buttons <= 1.4.8 Authenticated (Subscriber+) Information Exposure PoC, Patch Analysis & Rule
CVE-2026-49082 affects the Chatway Live Chat plugin (up to version 1.4.8), exposing sensitive data to authenticated attackers. Update to version 1.4.9 to mitigate this medium severity vulnerability with a CVSS score of 4.3.
June 13, 2026
CVE-2026-8385: WP Go Maps < 10.0.10 Unauthenticated Sensitive Information Disclosure via Datatables AJAX Fallback PoC, Patch Analysis & Rule
CVE-2026-8385 affects WP Google Maps versions up to 10.0.09, allowing unauthenticated users to access sensitive marker data. Upgrade to 10.0.10 to mitigate this medium severity vulnerability.
June 13, 2026
CVE-2026-49083: LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.5.1 Authenticated (Contributor+) Privilege Escalation PoC, Patch Analysis & Rule
CVE-2026-49083 affects the LatePoint plugin for WordPress (up to 5.5.1) with a CVSS score of 8.8. Authenticated attackers can escalate privileges to administrator. Update to version 5.5.2 to mitigate this risk.
June 13, 2026
CVE-2026-49079: JetSearch <= 3.5.17 Unauthenticated SQL Injection PoC, Patch Analysis & Rule
CVE-2026-49079 reveals a high severity SQL injection vulnerability (CVSS 7.5) in the Jet Search plugin for WordPress, affecting versions up to 3.5.17. Users should update to the patched version to mitigate risks of data exposure.
June 13, 2026
CVE-2026-49766: WP User Manager – User Profile Builder & Membership <= 2.9.16 Authenticated (Subscriber+) Arbitrary File Deletion PoC, Patch Analysis & Rule
CVE-2026-49766 affects WP User Manager plugin versions up to 2.9.16, allowing authenticated users to delete arbitrary files, potentially leading to remote code execution. Upgrade to version 2.9.17 to mitigate this high-severity...
June 13, 2026
CVE-2026-9016: Debug Log Manager <= 2.5.0 Unauthenticated Improper Output Neutralization for Logs via log_js_errors AJAX Action PoC, Patch Analysis & Rule
CVE-2026-9016 affects the Debug Log Manager plugin (up to 2.5.0) with a medium severity (CVSS 5.3) vulnerability. Users should upgrade to 2.5.1 to prevent unauthorized log injection by unauthenticated attackers.
June 13, 2026
CVE-2026-49105: WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 Unauthenticated PHP Object Injection PoC, Patch Analysis & Rule
CVE-2026-49105 affects the Cf7 Zendesk plugin for WordPress (up to 1.1.4) with a high severity CVSS score of 8.1. Unauthenticated PHP object injection can lead to serious impacts; update to version 1.1.5 to mitigate risks.
June 13, 2026
CVE-2026-49104: Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.2.1 Unauthenticated PHP Object Injection PoC, Patch Analysis & Rule
CVE-2026-49104 affects the Cf7 Infusionsoft plugin (up to version 1.2.1) with a high severity CVSS score of 8.1. Unauthenticated attackers can exploit a file upload vulnerability, so update to version 1.2.2 to mitigate risks.
June 13, 2026
CVE-2026-9691: Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 Unauthenticated PHP Object Injection PoC, Patch Analysis & Rule
CVE-2026-9691 affects the Cf7 Active Campaign plugin for WordPress (versions up to 1.1.1) with a high severity CVSS score of 8.1. Users should upgrade to version 1.1.2 to mitigate the PHP Object Injection vulnerability.
June 13, 2026
CVE-2026-49112: Shared Files – Frontend File Upload Form & Secure File Sharing <= 1.7.64 Unauthenticated Path Traversal PoC, Patch Analysis & Rule
CVE-2026-49112 affects the Shared Files plugin for WordPress (up to version 1.7.64) with a medium severity CVSS score of 5.3. Users should update to version 1.7.65 to mitigate the Path Traversal vulnerability.
June 13, 2026
CVE-2019-25727: 10WebAdManager <= 1.0.11 Unauthenticated Arbitrary File Download PoC, Patch Analysis & Rule
CVE-2019-25727 affects the 10WebAdManager plugin for WordPress (up to version 1.0.11) with a CVSS score of 5.3. Unauthenticated attackers can exploit a file upload vulnerability, allowing access to sensitive server files. Patching is...
June 13, 2026
CVE-2026-49081: User Registration Stripe <= 1.3.12 Missing Authorization PoC, Patch Analysis & Rule
CVE-2026-49081 affects the User Registration Stripe plugin for WordPress (up to version 1.3.12) with a CVSS score of 5.3. It allows unauthorized access due to a missing capability check, requiring immediate patching.
June 13, 2026
CVE-2026-49085: WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 Unauthenticated PHP Object Injection PoC, Patch Analysis & Rule
CVE-2026-49085 affects the Cf7 Insightly plugin for WordPress, with a CVSS score of 8.1. Users should upgrade to version 1.1.5 to mitigate the high-severity PHP Object Injection vulnerability.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet — inspecting, filtering, and blocking malicious traffic before it ever reaches
your application.