AI-Powered CVE Analysis for WordPress Plugins
We use AI to automate the differential analysis between vulnerable and patched plugin versions to understand and interpret the security issues. What we share here is research-grade proof of concept demonstrations that are then fed back into our endpoint firewall service.
WordPress Proof of Concepts
AI-assisted vulnerability analysis with PoC demonstration
June 9, 2026
CVE-2026-8677: Prime Elementor Addons <= 1.3.3 Authenticated (Contributor+) Stored Cross-Site Scripting via Widget HTML Tag Settings PoC, Patch Analysis & Rule
CVE-2026-8677 affects the Unlimited Elementor Inner Sections plugin (v1.3.3) with a medium severity (CVSS 6.4) stored XSS vulnerability. Authenticated attackers can inject scripts via widget settings, impacting all users. Patching is...
June 9, 2026
CVE-2026-10738: jQuery Hover Footnotes <= 1.4 Authenticated (Author+) Stored Cross-Site Scripting via Footnote Qualifier ('{{…}}' Syntax) PoC, Patch Analysis & Rule
CVE-2026-10738 affects the jQuery Hover Footnotes plugin (v1.4 and earlier) with a CVSS score of 6.4. Authenticated attackers can exploit this stored XSS vulnerability, so ensure timely patching to mitigate risks.
June 9, 2026
CVE-2026-7542: Slider Revolution <= 7.0.10 Authenticated (Subscriber+) Sensitive Information Disclosure PoC, Patch Analysis & Rule
CVE-2026-7542 affects the Revslider plugin (up to version 7.0.10) with a CVSS score of 6.5. Authenticated users can exploit design flaws to access sensitive server files. Update to the patched version to mitigate this risk.
June 9, 2026
CVE-2026-8895: kk blog card <= 1.3 Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes PoC, Patch Analysis & Rule
CVE-2026-8895 affects the Kk Blog Card plugin for WordPress (up to v1.3) with a CVSS score of 6.4. Authenticated users can exploit this stored XSS vulnerability, so ensure timely patching or WAF coverage.
June 9, 2026
CVE-2026-10553: jQuery Hover Footnotes <= 1.4 Cross-Site Request Forgery to Plugin Settings Update PoC, Patch Analysis & Rule
CVE-2026-10553 affects the jQuery Hover Footnotes plugin (up to v1.4) with a medium severity (CVSS 4.3) CSRF vulnerability. Ensure to patch to prevent unauthorized changes to settings and potential XSS risks.
June 9, 2026
CVE-2026-8882: WP ApplicantStack Jobs Display <= 1.1.1 Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes PoC, Patch Analysis & Rule
CVE-2026-8882 affects the WP ApplicantStack Jobs Display plugin (up to v1.1.1) with a medium severity (CVSS 6.4) stored XSS vulnerability. Authenticated users can exploit this flaw, making patching essential for security.
June 9, 2026
CVE-2026-8883: Global Body Mass Index Calculator <= 1.2 Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes PoC, Patch Analysis & Rule
CVE-2026-8883 affects the Global Body Mass Index Calculator plugin (up to v1.2) with a CVSS score of 6.4. Authenticated attackers can exploit a Stored XSS vulnerability, making timely patching essential.
June 9, 2026
CVE-2026-10024: TinyMCE shortcode Addon <= 1.0.0 Authenticated (Contributor+) Stored Cross-Site Scripting via 'btnrel' Shortcode Attribute PoC, Patch Analysis & Rule
CVE-2026-10024 affects the 360crest Themeone Tinymce Shortcodes plugin (up to v1.0.0) with a medium severity (CVSS 6.4) Stored XSS vulnerability. Users should patch to mitigate risks from authenticated attackers injecting scripts.
June 9, 2026
CVE-2026-9662: Recover Exit For WooCommerce <= 1.0.3 Unauthenticated Local File Inclusion via 'tpf' Parameter PoC, Patch Analysis & Rule
CVE-2026-9662 reveals a high severity Local File Inclusion vulnerability in the Recover Exit For WooCommerce plugin (up to 1.0.3). Unauthenticated attackers can exploit this flaw, so users should patch immediately.
June 9, 2026
CVE-2026-8880: RomanCart Ecommerce <= 2.0.8 Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes PoC, Patch Analysis & Rule
CVE-2026-8880 affects the RomanCart Ecommerce plugin for WordPress (up to version 2.0.8) with a CVSS score of 6.4. Authenticated attackers can exploit this medium-severity XSS vulnerability, so patching is essential.
June 8, 2026
CVE-2026-10100: Simple Custom Login Page <= 1.0.3 Authenticated (Admin+) Stored Cross-Site Scripting PoC, Patch Analysis & Rule
CVE-2026-10100 affects the Simple Custom Login Page plugin for WordPress (up to 1.0.3) with a medium severity (CVSS 4.4) stored XSS vulnerability. Update to version 1.0.4 to mitigate risks of CSS injection attacks.
June 4, 2026
CVE-2026-9022: Splide Carousel Block <= 1.7.1 Authenticated (Contributor+) Stored Cross-Site Scripting via 'url' Block Attribute PoC, Patch Analysis & Rule
CVE-2026-9022 affects the Splide Carousel plugin (up to v1.7.1) with a medium severity (CVSS 6.4) stored XSS vulnerability. Update to v1.7.2 to mitigate risks from authenticated attackers injecting scripts.
June 4, 2026
CVE-2026-2128: Breeze Cache <= 2.5.2 Unauthenticated Exposure of Sensitive Information to an Unauthorized Actor via Crafted Login Cookie PoC, Patch Analysis & Rule
CVE-2026-2128 affects the Breeze plugin for WordPress (up to 2.5.2) with a CVSS score of 5.3. It allows unauthorized access to sensitive cached content. Update to version 2.5.3 to mitigate this vulnerability.
June 2, 2026
CVE-2026-9732: EmergencyWP <= 1.4.2 Cross-Site Request Forgery to Plugin Settings Update PoC, Patch Analysis & Rule
CVE-2026-9732 affects EmergencyWP plugin versions up to 1.4.2, exposing a CSRF vulnerability (CVSS 4.3). Unauthenticated attackers can alter critical settings. Ensure you update to the patched version to mitigate risks.
June 2, 2026
CVE-2026-7421: Passeum Ticketing <= 1.0 Authenticated (Administrator+) Stored Cross-Site Scripting via 'shop_name' Setting PoC, Patch Analysis & Rule
CVE-2026-7421 affects the Passeum Ticketing plugin for WordPress (up to version 1.0) with a medium severity (CVSS 4.4) stored XSS vulnerability. Update to version 1.0.1 to mitigate risks from authenticated attackers injecting scripts.
June 2, 2026
CVE-2026-5076: ARMember Premium <= 7.3.1 Insecure Password Reset Mechanism to Unauthenticated Privilege Escalation PoC, Patch Analysis & Rule
CVE-2026-5076 affects the ARMember plugin for WordPress (up to 7.3.1) with a critical CVSS score of 9.8. This SQL injection vulnerability allows unauthenticated attackers to exploit insecure password resets. Immediate patching is essential.
June 2, 2026
CVE-2026-5073: ARMember Premium <= 7.3.1 Unauthenticated SQL Injection via 'order' Parameter PoC, Patch Analysis & Rule
CVE-2026-5073 reveals a high severity SQL injection vulnerability in the ARMember plugin for WordPress, affecting versions up to 7.3.1. Users should update to the patched version to mitigate potential data exposure.
June 2, 2026
CVE-2026-5074: ARMember Premium <= 7.3.1 Authenticated (Subscriber+) SQL Injection via 'sSortDir_0' Parameter PoC, Patch Analysis & Rule
CVE-2026-5074 affects the ARMember Premium plugin (up to 7.3.1) with a CVSS score of 6.5. This medium severity SQL injection vulnerability can allow authenticated users to extract sensitive data. Ensure the plugin is updated to mitigate...
June 2, 2026
CVE-2026-5191: Tiled Gallery Carousel Without JetPack <= 3.1 Authenticated (Contributor+) Stored Cross-Site Scripting via 'data-image-title' PoC, Patch Analysis & Rule
CVE-2026-5191 affects the Tiled Gallery Carousel Without Jetpack plugin for WordPress, with a CVSS score of 5.4. Authenticated users can exploit this stored XSS vulnerability, so ensure you update to the patched version.
June 2, 2026
CVE-2026-4071: BirdSeed <= 2.2.0 Cross-Site Request Forgery via BirdSeed Token Change PoC, Patch Analysis & Rule
CVE-2026-4071 affects the Birdseed plugin for WordPress (up to v2.2.0) with a medium severity (CVSS 4.3) CSRF vulnerability. Ensure to update to the patched version to mitigate unauthorized changes.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet — inspecting, filtering, and blocking malicious traffic before it ever reaches
your application.