AI-Powered CVE Analysis for WordPress Plugins
We use AI to automate the differential analysis between vulnerable and patched plugin versions to understand and interpret the security issues. What we share here is research-grade proof of concept demonstrations that are then fed back into our endpoint firewall service.
WordPress Proof of Concepts
AI-assisted vulnerability analysis with PoC demonstration
June 11, 2026
CVE-2026-7796: EmbedPress <= 4.5.3 Authenticated (Contributor+) Stored Cross-Site Scripting via Block 'url' Attribute PoC, Patch Analysis & Rule
CVE-2026-7796 affects the Embedpress plugin for WordPress (up to v4.5.3) with a medium severity CVSS score of 6.4. Authenticated attackers can exploit a stored XSS vulnerability; update to v4.5.4 to mitigate.
June 11, 2026
CVE-2026-7792: WPForms <= 1.10.0.4 Unauthenticated Insufficient Verification of Data Authenticity via PayPal Commerce Webhook Endpoint PoC, Patch Analysis & Rule
CVE-2026-7792 affects WPForms Lite versions up to 1.10.0.4, allowing unauthenticated remote code execution due to insufficient data verification. Upgrade to 1.10.0.5 to mitigate this medium severity vulnerability.
June 11, 2026
CVE-2026-8991: Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.7 Authenticated (Administrator+) Stored Cross-Site Scripting via 'drag_n_drop_text' and 'drag_n_drop_browse_text' Settings PoC, Patch Analysis & Rule
CVE-2026-8991 affects the Drag And Drop Multiple File Upload Contact Form 7 plugin (up to 1.3.9.7) with a medium severity CVSS of 4.4. Patch to 1.3.9.8 to mitigate stored XSS risks from authenticated attackers.
June 11, 2026
CVE-2026-7537: MDJM Event Management <= 1.7.8.3 Authenticated (Administrator+) Arbitrary File Upload via 'mdjm_email_upload_file' Parameter PoC, Patch Analysis & Rule
CVE-2026-7537 affects the Mobile Dj Manager plugin (up to 1.7.8.3) with a CVSS score of 7.2. Authenticated attackers can exploit a file upload vulnerability, making patching to version 1.7.8.4 critical for security.
June 11, 2026
CVE-2026-7566: LearnPress – Backup & Migration Tool <= 4.1.4 Authenticated (Administrator+) PHP Object Injection via WXR XML File Upload PoC, Patch Analysis & Rule
CVE-2026-7566 affects the LearnPress Import Export plugin (up to v4.1.4) with a medium severity (CVSS 6.6) file upload vulnerability. Update to v4.1.5 to mitigate risks from potential PHP Object Injection.
June 11, 2026
CVE-2026-8978: OptinCraft <= 1.2.0 Authenticated (Administrator+) SQL Injection via 'order_by' Parameter PoC, Patch Analysis & Rule
CVE-2026-8978 affects the OptinCraft plugin for WordPress (up to 1.2.0) with a medium severity SQL injection vulnerability. Admins should upgrade to version 1.2.1 to mitigate risks of sensitive data exposure.
June 11, 2026
CVE-2026-9280: Ad Inserter <= 2.8.15 Reflected Cross-Site Scripting via URL Parameters in iframe Mode PoC, Patch Analysis & Rule
CVE-2026-9280 affects the Ad Inserter plugin for WordPress (up to version 2.8.15) with a CVSS score of 6.1. Users should upgrade to version 2.8.16 to mitigate the risk of reflected XSS attacks.
June 11, 2026
CVE-2026-7795: Click to Chat <= 4.39 Authenticated (Contributor+) Stored Cross-Site Scripting via 'num' Shortcode Parameter PoC, Patch Analysis & Rule
CVE-2026-7795 affects the Click To Chat For Whatsapp plugin (up to v4.38) with a CVSS score of 6.4. Authenticated attackers can exploit a stored XSS vulnerability. Update to v4.40 to mitigate this risk.
June 11, 2026
CVE-2026-9008: Page-list <= 6.2 Missing Authorization to Authenticated (Contributor+) Sensitive Information Disclosure via Shortcode Attributes PoC, Patch Analysis & Rule
CVE-2026-9008 affects the Page List plugin for WordPress versions up to 6.2, allowing authenticated attackers to access sensitive data from private and draft pages. Upgrade to version 6.3 to mitigate this medium severity vulnerability.
June 11, 2026
CVE-2026-9281: Master Addons For Elementor <= 3.1.0 Authenticated (Author+) Stored Cross-Site Scripting via 'jtlma_custom_js' Page Setting (Custom JS Extension) PoC, Patch Analysis & Rule
CVE-2026-9281 affects Master Addons for Elementor (up to v3.1.0) with a medium severity (CVSS 6.4) Stored XSS vulnerability. Update to v3.1.1 to mitigate risks from authenticated attackers injecting malicious scripts.
June 11, 2026
CVE-2026-8901: Integration for Freshsales <= 1.0.15 Unauthenticated Stored Cross-Site Scripting via Form Submission Data PoC, Patch Analysis & Rule
CVE-2026-8901 affects the Crm Integration Freshworks Any Form plugin (up to v1.0.15) with a CVSS score of 7.2. It allows stored XSS via form submissions. Update to v1.0.16 to mitigate risks.
June 10, 2026
CVE-2026-10795: UpdraftPlus: WP Backup & Migration Plugin <= 1.26.4 Unauthenticated Authentication Bypass via UpdraftCentral udrpc PoC, Patch Analysis & Rule
CVE-2026-10795 affects UpdraftPlus plugin versions up to 1.26.4 with a high severity CVSS score of 8.1. Patch to 1.26.5 to mitigate authentication bypass risks that allow unauthorized command execution.
June 10, 2026
CVE-2026-2827: Open User Map PRO <= 1.4.31 Unauthenticated Stored Cross-Site Scripting via 'oum_location_notification' PoC, Patch Analysis & Rule
CVE-2026-2827 affects the Open User Map Pro plugin for WordPress (up to 1.4.31) with a medium severity CVSS score of 4.7. Users should patch to mitigate the stored XSS risk from unauthenticated attackers.
June 10, 2026
CVE-2026-8940: WP Meta Sort Posts <= 0.9 Cross-Site Request Forgery to Plugin Settings Update PoC, Patch Analysis & Rule
CVE-2026-8940 affects the WP Meta Sort Posts plugin (up to v0.9) with a medium severity (CVSS 4.3) CSRF vulnerability. Ensure you update to the patched version to prevent unauthorized changes by attackers.
June 10, 2026
CVE-2026-9185: 6Storage Rentals <= 2.22.0 Unauthenticated Insecure Direct Object Reference to Arbitrary User Disclosure and Modification via 'userId' Parameter PoC, Patch Analysis & Rule
CVE-2026-9185 affects the 6Storage Rentals plugin for WordPress (up to 2.22.0) with a CVSS score of 7.5. Unauthenticated attackers can access and modify tenant data. Update to the patched version to mitigate risks.
June 10, 2026
CVE-2026-8904: FastPicker, an order picker and order management system (oms) for WooCommerce on steroids <= 1.0.2 Cross-Site Request Forgery via Settings Save PoC, Patch Analysis & Rule
CVE-2026-8904 affects the Fastpicker plugin (v1.0.2) with a medium severity (CVSS 4.3) CSRF vulnerability. Unauthenticated attackers can modify settings if an admin is tricked into a forged request. Update to the patched version.
June 10, 2026
CVE-2026-8907: WP-Ultimate-Map <= 1.1 Cross-Site Request Forgery to Stored Cross-Site Scripting via 'zoom-level' Parameter PoC, Patch Analysis & Rule
CVE-2026-8907 affects the WP Ultimate Map plugin (up to version 1.1) with a medium severity CVSS score of 6.1. Unauthenticated attackers can exploit this cross-site scripting vulnerability, making patching essential.
June 10, 2026
CVE-2026-8910: WP Emoticon Rating <= 1.0.1 Cross-Site Request Forgery to Reflected Cross-Site Scripting via 'emo_settings' Parameter PoC, Patch Analysis & Rule
CVE-2026-8910 affects the WP Emoticon Rating plugin (v1.0.1) with a medium severity rating (CVSS 6.1). It allows unauthenticated attackers to exploit cross-site request forgery, impacting site security. Patching is recommended.
June 10, 2026
CVE-2026-8909: WpMobi <= 0.0.3 Cross-Site Request Forgery via save_general_settings Action PoC, Patch Analysis & Rule
CVE-2026-8909 affects the Wp Mobi plugin for WordPress (up to version 0.0.3) with a medium severity (CVSS 4.3) CSRF vulnerability. Ensure you update to the patched version to mitigate unauthorized settings changes.
June 10, 2026
CVE-2026-8902: AJAX Report Comments <= 2.0.4 Cross-Site Request Forgery to Settings Update PoC, Patch Analysis & Rule
CVE-2026-8902 affects the AJAX Report Comments plugin for WordPress (up to v2.0.4) with a medium severity (CVSS 4.3) CSRF vulnerability. Ensure proper nonce validation to mitigate risks and protect plugin settings.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet — inspecting, filtering, and blocking malicious traffic before it ever reaches
your application.