AI-Powered CVE Analysis for WordPress Plugins
We use AI to automate the differential analysis between vulnerable and patched plugin versions to understand and interpret the security issues. What we share here is research-grade proof of concept demonstrations that are then fed back into our endpoint firewall service.
WordPress Proof of Concepts
AI-assisted vulnerability analysis with PoC demonstration
June 10, 2026
CVE-2026-8499: Helpfulcrowd Product Reviews <= 1.2.9 Inccorect Authorization via Type Juggling in 'token' Parameter to Arbitrary Settings Update PoC, Patch Analysis & Rule
CVE-2026-8499 affects the Helpfulcrowd Product Reviews plugin (up to version 1.2.9) with a medium severity (CVSS 5.3) authentication bypass. Patch immediately to prevent unauthorized configuration changes.
June 10, 2026
CVE-2026-8977: WP GDPR Cookie Consent <= 1.0.0 Authenticated (Subscriber+) Stored Cross-Site Scripting via 'ninja_gdpr_ajax_actions' AJAX Action PoC, Patch Analysis & Rule
CVE-2026-8977 affects the WP GDPR Cookie Consent plugin (v1.0.0) with a medium severity CVSS score of 6.4. Authenticated attackers can exploit this XSS vulnerability, emphasizing the need for immediate patching.
June 10, 2026
CVE-2026-8841: Extra Settings for RocketChat <= 0.1 Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes PoC, Patch Analysis & Rule
CVE-2026-8841 affects the Extra Settings for RocketChat plugin for WordPress (up to version 0.1) with a CVSS score of 6.4. Authenticated users can exploit this stored XSS vulnerability, so ensure you update to the patched version.
June 10, 2026
CVE-2026-7662: ePaperFlip Publisher <= 1 Authenticated (Contributor+) Stored Cross-Site Scripting via 'publicationid' Shortcode Attribute PoC, Patch Analysis & Rule
CVE-2026-7662 affects the ePaperFlip Publisher plugin for WordPress, allowing authenticated users to exploit stored XSS due to insufficient input sanitization. Users should update to the latest version to mitigate this medium severity...
June 10, 2026
CVE-2026-10862: Accordions <= 2.3.23 Authenticated (Custom+) Stored Cross-Site Scripting via Accordion Body Field PoC, Patch Analysis & Rule
CVE-2026-10862 affects the Accordions plugin for WordPress (up to 2.3.23) with a medium severity CVSS score of 6.4. Authenticated attackers can exploit this stored XSS vulnerability, so ensure timely patching to mitigate risks.
June 10, 2026
CVE-2026-5714: Enable Media Replace <= 4.1.8 Authenticated (Author+) Stored Cross-Site Scripting via 'location_dir' Parameter PoC, Patch Analysis & Rule
CVE-2026-5714 affects the Enable Media Replace plugin for WordPress (up to version 4.1.8) with a medium severity CVSS score of 6.4. Patch to version 4.1.9 to mitigate the Stored Cross-Site Scripting vulnerability.
June 10, 2026
CVE-2026-9851: Booking Package <= 1.7.16 Authenticated (Editor+) Privilege Escalation via Account Takeover to updateUser AJAX Action PoC, Patch Analysis & Rule
CVE-2026-9851 affects the Booking Package plugin for WordPress (up to v1.7.16) with a CVSS score of 7.2. Authenticated attackers can escalate privileges to Administrator. Update to v1.7.17 to mitigate this risk.
June 10, 2026
CVE-2026-3011: Recipe Card Blocks Lite <= 3.4.13 Authenticated (Author+) Stored Cross-Site Scripting via 'summary' and 'notes' PoC, Patch Analysis & Rule
CVE-2026-3011 affects Recipe Card Blocks By Wpzoom (up to v3.4.13) with a CVSS score of 6.4. Authenticated users can exploit stored XSS. Update to v3.4.14 to mitigate this vulnerability.
June 10, 2026
CVE-2026-7556: FV Flowplayer Video Player <= 7.5.49.7212 Unauthenticated Stored Cross-Site Scripting via Comment Text PoC, Patch Analysis & Rule
CVE-2026-7556 affects the FV WordPress Flowplayer plugin with a CVSS score of 7.2. This high-severity XSS vulnerability allows attackers to inject scripts via comments. Update to version 7.5.49.7213 or later to mitigate risks.
June 10, 2026
CVE-2026-9829: Photo Gallery by 10Web <= 1.8.41 Authenticated (Contributor+) SQL Injection via 'compact_album_order_by' Shortcode Parameter PoC, Patch Analysis & Rule
CVE-2026-9829 affects the Photo Gallery plugin (versions
June 10, 2026
CVE-2026-9594: WP Maps <= 4.9.4 Authenticated (Admin+) Stored Cross-Site Scripting via 'location_messages' Parameter PoC, Patch Analysis & Rule
CVE-2026-9594 affects the WP Google Map Plugin (up to v4.9.4) with a medium severity CVSS score of 4.4. Authenticated attackers can exploit this stored XSS vulnerability, so ensure you update to the patched version.
June 9, 2026
CVE-2025-6254: Doctreat Core <= 1.6.8 Unauthenticated Privilege Escalation PoC, Patch Analysis & Rule
CVE-2025-6254 affects the Doctreat Core plugin (versions
June 9, 2026
CVE-2026-3018: Newsletters <= 4.13 Unauthenticated SQL Injection via wpmlsubscriber_id Parameter PoC, Patch Analysis & Rule
CVE-2026-3018 affects the Newsletters Lite plugin for WordPress (up to v4.13) with a CVSS score of 7.5. This high-severity SQL injection allows unauthenticated attackers to extract sensitive data. Patching is essential.
June 9, 2026
CVE-2026-8853: MW WP Form <= 5.1.3 Authenticated (Editor+) Stored Cross-Site Scripting via 'memo' Parameter PoC, Patch Analysis & Rule
CVE-2026-8853 affects the Mw Wp Form plugin (up to version 5.1.3) with a medium severity CVSS score of 4.4. Authenticated attackers can exploit stored XSS via the 'memo' parameter, making patching to version 5.1.4 essential.
June 9, 2026
CVE-2026-8613: aThemes Addons for Elementor <= 1.1.8 Authenticated (Contributor+) Stored Cross-Site Scripting via 'title_tag' Widget Setting PoC, Patch Analysis & Rule
CVE-2026-8613 affects the aThemes Addons for Elementor Lite plugin (up to v1.1.8) with a medium severity (CVSS 6.4) Stored XSS vulnerability. Update to v1.1.9 to mitigate risks from authenticated attackers injecting scripts.
June 9, 2026
CVE-2026-4058: User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.3.2 Missing Authorization to Authenticated (Subscriber+) Subscription Pack Cancellation PoC, Patch Analysis & Rule
CVE-2026-4058 affects the Wp User Frontend plugin (up to v4.3.2) with a medium severity (CVSS 4.3). Authenticated users can cancel any subscription, including admin ones. Update to v4.3.3 to mitigate this risk.
June 9, 2026
CVE-2025-8444: Animation Addons for Elementor – GSAP Powered Elementor Addons & Website Templates <= 2.6.7 Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Multiple Parameters PoC, Patch Analysis & Rule
CVE-2025-8444 affects the Animation Addons for Elementor plugin (up to v2.6.7) with a medium severity (CVSS 6.4) XSS vulnerability. Authenticated attackers can inject scripts, impacting user security. Update to the patched version to...
June 9, 2026
CVE-2026-8599: MailerPress <= 2.0.4 Authenticated (Author+) Stored Cross-Site Scripting via Campaign HTML Content Field PoC, Patch Analysis & Rule
CVE-2026-8599 affects the MailerPress plugin (up to v2.0.4) with a medium severity CVSS score of 6.4. Authenticated users can exploit stored XSS vulnerabilities; update to v2.0.5 to mitigate risks.
June 9, 2026
CVE-2026-11603: Product Filter Widget for Elementor <= 1.0.6 Reflected Cross-Site Scripting via 'args[filterFormArray]' Parameter PoC, Patch Analysis & Rule
CVE-2026-11603 affects the Product Filter Widget for Elementor plugin (up to v1.0.6) with a CVSS score of 6.1. Unauthenticated attackers can exploit this XSS vulnerability, so update to the patched version to mitigate risks.
June 9, 2026
CVE-2026-11616: Events Calendar for GeoDirectory <= 2.3.28 Authenticated (Subscriber+) Privilege Escalation PoC, Patch Analysis & Rule
CVE-2026-11616 affects the Events For Geodirectory plugin (up to version 2.3.28) with a CVSS score of 8.8. Authenticated users can escalate privileges to Administrator. Update to version 2.3.29 to mitigate this risk.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet — inspecting, filtering, and blocking malicious traffic before it ever reaches
your application.