AI-Powered CVE Analysis for WordPress Plugins
We use AI to automate the differential analysis between vulnerable and patched plugin versions to understand and interpret the security issues. What we share here is research-grade proof of concept demonstrations that are then fed back into our endpoint firewall service.
WordPress Proof of Concepts
AI-assisted vulnerability analysis with PoC demonstration
June 12, 2026
CVE-2025-12656: Migration, Backup, Staging – WPvivid Backup & Migration <= 0.9.128 Authenticated (Admin+) Arbitrary Directory Deletion PoC, Patch Analysis & Rule
CVE-2025-12656 affects the WPvivid Backuprestore plugin (up to 0.9.128) with a low severity CVSS of 3.8. Authenticated admins can delete arbitrary server folders; update to 0.9.129 to mitigate this risk.
June 12, 2026
CVE-2026-9719: LatePoint <= 5.6.0 Cross-Site Request Forgery via invoices__change_status Action PoC, Patch Analysis & Rule
CVE-2026-9719 affects the LatePoint plugin (up to v5.6.0) with a medium severity (CVSS 4.3) CSRF vulnerability. Patch to v5.6.1 to prevent unauthorized invoice status changes.
June 12, 2026
CVE-2026-8976: RSS Aggregator by Feedzy <= 5.1.7 Missing Authorization to Authenticated (Contributor+) Import Job Creation, Execution, Purge, Log Clearing, and Information Disclosure via Multiple AJAX Sub-Actions PoC, Patch Analysis & Rule
CVE-2026-8976 affects Feedzy Rss Feeds plugin versions up to 5.1.7, allowing authenticated users to bypass authorization. Update to 5.1.8 to mitigate this medium severity vulnerability.
June 12, 2026
CVE-2026-8438: All-In-One Security (AIOS) <= 5.4.7 Unauthenticated Stored Cross-Site Scripting via REST API Request Path PoC, Patch Analysis & Rule
CVE-2026-8438 affects the All In One WP Security And Firewall plugin (up to version 5.4.7) with a CVSS score of 7.2. Ensure you update to version 5.4.8 to mitigate the risk of stored cross-site scripting attacks.
June 12, 2026
CVE-2026-8893: Express Payment For Stripe <= 1.28.0 Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes PoC, Patch Analysis & Rule
CVE-2026-8893 affects the Wp Stripe Express plugin (up to v1.28.0) with a medium severity (CVSS 6.4) cross-site scripting vulnerability. Update to v1.28.2 to mitigate risks from authenticated attackers injecting scripts.
June 12, 2026
CVE-2026-7047: Frontend User Notes <= 2.1.1 Cross-Site Request Forgery to Note Content Modification via 'confirmEdit' Action PoC, Patch Analysis & Rule
CVE-2026-7047 affects the Frontend User Notes plugin for WordPress (up to v2.1.1) with a medium severity CVSS score of 4.3. Users should upgrade to v2.2.0 to mitigate the risk of CSRF attacks.
June 12, 2026
CVE-2026-10038: Charitable <= 1.8.11.1 Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Attachment Deletion via 'avatar' Parameter PoC, Patch Analysis & Rule
CVE-2026-10038 affects the Charitable plugin (up to 1.8.11.1) with a medium severity score of 4.3. Authenticated users can exploit this to delete arbitrary attachments. Update to version 1.8.11.2 to mitigate this risk.
June 12, 2026
CVE-2026-8900: Simple SEO Slideshow <= 1.2.8 Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes PoC, Patch Analysis & Rule
CVE-2026-8900 affects the Simple SEO Slideshow plugin for WordPress (up to v1.2.8) with a medium severity CVSS score of 6.4. Authenticated attackers can exploit stored XSS via shortcode attributes, so patching is essential.
June 12, 2026
CVE-2026-7523: Alba Board <= 2.1.3 Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via 'card_id' Parameter PoC, Patch Analysis & Rule
CVE-2026-7523 affects the Alba Board plugin for WordPress (up to v2.1.3) with a medium severity (CVSS 4.3) authentication bypass vulnerability. Upgrade to v2.1.4 to protect against unauthorized access to private data.
June 12, 2026
CVE-2026-5415: WP Captcha PRO <= 5.38 Authenticated (Subscriber+) Authentication Bypass via Temporary Login Link PoC, Patch Analysis & Rule
CVE-2026-5415 affects the Advanced Google Recaptcha plugin, allowing authenticated attackers to bypass authentication due to a nonce check flaw. Users should update to the patched version to mitigate this high-severity risk.
June 12, 2026
CVE-2026-8206: Kirki 6.0.0 6.0.6 Unauthenticated Privilege Escalation via ‘handle_forgot_password’ PoC, Patch Analysis & Rule
CVE-2026-8206 is a critical vulnerability in the Kirki plugin (versions 6.0.0 to 6.0.6) allowing unauthenticated account takeover via password reset. Update to version 6.0.7 to mitigate this risk.
June 11, 2026
CVE-2026-8839: MapPress Maps for WordPress <= 2.96.6 Unauthenticated Insecure Direct Object Reference via REST API Endpoints PoC, Patch Analysis & Rule
CVE-2026-8839 affects the MapPress Google Maps for WordPress plugin up to version 2.96.6, allowing unauthenticated access to sensitive map data. Upgrade to version 2.97.1 to mitigate this medium severity vulnerability.
June 11, 2026
CVE-2026-7624: SEO Plugin by Squirrly SEO <= 12.4.16 Missing Authorization to Authenticated (Contributor+) Privileged Cloud API Operations PoC, Patch Analysis & Rule
CVE-2026-7624 affects Squirrly SEO plugin versions up to 12.4.16, allowing authenticated attackers to bypass authorization. Upgrade to 12.4.17 to mitigate this medium severity vulnerability with a CVSS score of 4.3.
June 11, 2026
CVE-2026-9125: The Ultimate Video Player For WordPress <= 4.2.0 Authenticated (Contributor+) Stored Cross-Site Scripting via 'link_url' Shortcode Attribute PoC, Patch Analysis & Rule
CVE-2026-9125 affects Presto Player plugin versions up to 4.2.0, allowing authenticated attackers to inject JavaScript due to insufficient input sanitization. Upgrade to 4.2.1 to mitigate this medium severity cross-site scripting risk.
June 11, 2026
CVE-2026-2500: Quick Playground <= 1.3.4 Authenticated (Administrator+) Arbitrary File Read via 'filename' Parameter PoC, Patch Analysis & Rule
CVE-2026-2500 affects the Quick Playground plugin (up to version 1.3.4) with a medium severity (CVSS 4.4) file upload vulnerability. Update to version 1.3.5 to mitigate the risk of unauthorized file access.
June 11, 2026
CVE-2026-7665: Essential Addons for Elementor <= 6.6.4 Missing Authorization to Unauthenticated Information Exposure via 'load_more' AJAX Handler PoC, Patch Analysis & Rule
CVE-2026-7665 affects the Essential Addons For Elementor Lite plugin (up to version 6.6.4) with a CVSS score of 5.3. Unauthenticated attackers can access restricted post data; update to version 6.6.5 to mitigate this risk.
June 11, 2026
CVE-2026-9197: Smart Slider 3 <= 3.5.1.36 Authenticated (Administrator+) Path Traversal to Arbitrary File Read via 'src'/'srcset' Attribute in HTML Export PoC, Patch Analysis & Rule
CVE-2026-9197 affects Smart Slider 3 (up to 3.5.1.36) with a CVSS score of 4.9. Authenticated admins can exploit a file upload vulnerability to read sensitive server files. Update to the patched version to mitigate risks.
June 11, 2026
CVE-2026-7565: LearnPress <= 4.1.4 Authenticated (Administrator+) Path Traversal to Arbitrary File Read via 'import-user-file' Parameter PoC, Patch Analysis & Rule
CVE-2026-7565 affects the LearnPress Import Export plugin (up to v4.1.4) with a medium severity (CVSS 4.9) file upload vulnerability. Update to v4.1.5 to mitigate risks of arbitrary file read by authenticated attackers.
June 11, 2026
CVE-2026-8502: LearnPress <= 4.3.6 Unauthenticated Sensitive Information Exposure via 'c_status' and 'return_type' Parameters PoC, Patch Analysis & Rule
CVE-2026-8502 affects the LearnPress plugin (up to version 4.3.6) with a CVSS score of 5.3. Unauthenticated attackers can access sensitive data. Upgrade to version 4.3.7 to mitigate this vulnerability.
June 11, 2026
CVE-2026-8611: Klamra Paycal for Aspaclaria <= 1.1.4 Insecure Direct Object Reference to Authenticated (Subscriber+) Sensitive Information Exposure via 'invoice_id' Parameter PoC, Patch Analysis & Rule
CVE-2026-8611 affects the Klamra Paycal for Aspaclaria plugin (v1.1.4 and below) with a medium severity (CVSS 4.3). Authenticated users can exploit this to access sensitive customer invoices. Update to version 1.1.5 to mitigate.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet — inspecting, filtering, and blocking malicious traffic before it ever reaches
your application.