AI-Powered CVE Analysis for WordPress Plugins

The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Insecure Direct Object Reference in versions 8.6.0 through 9.0.2. This is due to the `store_settings()` method in the `ExactMetrics_Onboarding` class accepting a user-supplied `triggered_by` parameter that is used instead of the current user's ID to check permissions. This makes it possible for authenticated…

The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Improper Privilege Management in versions 7.1.0 through 9.0.2. This is due to the `update_settings()` function accepting arbitrary plugin setting names without a whitelist of allowed settings. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to modify any plugin setting, including…

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.9.28.1. This is due to a compound failure involving missing authorization on the `create_from_template` AJAX endpoint (allowing any authenticated user to create forms), insufficient input sanitization (`sanitize_text_field()` preserves single quotes), and missing output escaping when the…

The Checkout Field Editor (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom radio and checkboxgroup field values submitted through the WooCommerce Block Checkout Store API in all versions up to, and including, 2.1.7. This is due to the `prepare_single_field_data()` method in `class-thwcfd-block-order-data.php` first escaping values with `esc_html()` then…

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection in all versions up to, and including, 1.6.9.27. This is due to the `db_where_conditions` method in the `TD_DB_Model` class failing to prevent the `append_where_sql` parameter from being passed through JSON request bodies, while only checking for…

Atomic Edge analysis of CVE-2026-22448 (metadata-based): The vulnerability is a critical SQL injection flaw in the PitchPrint WordPress plugin. This flaw allows unauthenticated attackers to execute arbitrary SQL commands on the underlying database. The vulnerability affects plugin components handling user input, likely through AJAX endpoints or REST API routes. Atomic Edge research infers the root…

Atomic Edge analysis of CVE-2026-0677 (metadata-based): This vulnerability is a critical security flaw in the TotalContest Lite WordPress plugin. The vulnerability allows unauthenticated attackers to execute arbitrary SQL commands on the underlying database. The flaw resides in the plugin's AJAX or REST API endpoint handling, where user-supplied input is directly incorporated into SQL queries without…

Atomic Edge analysis of CVE-2026-32456 (metadata-based): This vulnerability affects the Admin Menu Editor WordPress plugin. The vulnerability description indicates insufficient access control in the plugin's AJAX handlers, allowing authenticated users with minimal privileges to perform administrative actions. The CWE classification points to improper authorization mechanisms. Atomic Edge research infers the root cause is missing capability…

Atomic Edge analysis of CVE-2026-24964 (metadata-based): This vulnerability is a critical SQL injection flaw in the Contest Gallery WordPress plugin. The vulnerability allows unauthenticated attackers to execute arbitrary SQL commands against the plugin's database. The affected component is likely an AJAX or REST endpoint handler that processes user-supplied parameters without proper sanitization or prepared statement…

Atomic Edge analysis of CVE-2025-50001 (metadata-based): This vulnerability affects the td-composer WordPress plugin. The vulnerability description indicates an authentication bypass issue that allows unauthenticated attackers to execute arbitrary SQL queries via the plugin's AJAX endpoints. This represents a critical security flaw enabling complete database compromise. Atomic Edge research infers the root cause from the vulnerability…

Atomic Edge analysis of CVE-2026-27073 (metadata-based): This vulnerability is a critical security flaw in the 'buy-now-pay-later-addi' WordPress plugin. The vulnerability type and affected component cannot be determined from the provided metadata, as the CWE classification, CVSS vector, and description are all listed as 'N/A'. This lack of information prevents a definitive assessment of the vulnerability's…

Atomic Edge analysis of CVE-2026-22523 (metadata-based): This vulnerability affects the Ultra Admin WordPress plugin. The vulnerability description indicates an authentication bypass issue that allows unauthenticated attackers to access administrative functionality. The CWE classification is not provided, but the description suggests a failure to verify user permissions before executing privileged actions. Atomic Edge research infers the…

Atomic Edge analysis of CVE-2026-27087 (metadata-based): This vulnerability is a critical SQL injection flaw in the Wolverine Framework WordPress plugin. The vulnerability allows unauthenticated attackers to execute arbitrary SQL commands via a specific plugin endpoint, leading to complete database compromise. Atomic Edge research infers the root cause is insufficient input sanitization and a lack of…

Atomic Edge analysis of CVE-2026-27088 (metadata-based): The vulnerability is a critical security flaw in the Darna Framework WordPress plugin. Insufficient metadata prevents definitive classification, but the plugin's framework nature suggests a core component affecting multiple plugin features. The absence of patched versions indicates an unmaintained plugin with active exposure risk. Atomic Edge research infers the…

Atomic Edge analysis of CVE-2026-32453 (metadata-based): This vulnerability is a critical security flaw in the Fusion Core WordPress plugin. The absence of CWE, CVSS, and version metadata prevents precise classification, but the plugin's nature as a core component for the Avada theme suggests a high-impact vulnerability affecting a widely deployed system. The lack of available…

Atomic Edge analysis of CVE-2026-32454 (metadata-based): This vulnerability affects the Fusion Core WordPress plugin. The vulnerability description and CWE classification are unavailable, preventing definitive classification. Without this metadata, Atomic Edge research cannot determine the vulnerability type, affected component, or severity. The analysis must rely on general WordPress plugin security patterns and the plugin's functionality context.…

Atomic Edge analysis of CVE-2026-22524 (metadata-based): This vulnerability affects the legacy-admin WordPress plugin. The absence of CWE, CVSS, and descriptive metadata prevents definitive classification. Atomic Edge research indicates this likely represents an unpatched security flaw in a discontinued or deprecated plugin component. Without patched versions available for comparison, the exact nature of the vulnerability remains…

The WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to 10.5.3 (exclusive). This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into performing an action such as…

Atomic Edge analysis of CVE-2026-32450 (metadata-based): This vulnerability affects the Profit Products Tables for WooCommerce WordPress plugin. The vulnerability description is unavailable, and no CWE classification, CVSS vector, or version information is provided. Without this metadata, the specific vulnerability type, affected component, and severity cannot be determined. Atomic Edge research cannot produce a substantive analysis…

Atomic Edge analysis of CVE-2026-24364 (metadata-based): This vulnerability affects the WP User Frontend plugin. The vulnerability description is missing, preventing a definitive classification. The CWE classification and CVSS vector are also unavailable. Without these critical metadata fields, Atomic Edge research cannot determine the vulnerability type, affected component, or severity. The analysis is limited to general…