AI-Powered CVE Analysis for WordPress Plugins
We use AI to automate the differential analysis between vulnerable and patched plugin versions to understand and interpret the security issues. What we share here is research-grade proof of concept demonstrations that are then fed back into our endpoint firewall service.
WordPress Proof of Concepts
AI-assisted vulnerability analysis with PoC demonstration
2026-02-04
CVE-2025-68834: Sync Master Sheet – Product Sync with Google Sheet for WooCommerce <= 1.1.3 – Missing Authorization (product-sync-master-sheet)
The Sync Master Sheet – Product Sync with Google Sheet for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.1.3. This makes it possible for unauthenticated attackers to perform an unauthorized action.
2026-02-04
CVE-2025-68024: Addonify – WooCommerce Wishlist <= 2.0.15 – Missing Authorization to Unauthenticated Settings Update (addonify-wishlist)
The Addonify – WooCommerce Wishlist plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.0.15. This makes it possible for unauthenticated attackers to perform an unauthorized action.
2026-02-04
CVE-2026-24988: The Events Calendar Shortcode & Block <= 3.1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting (the-events-calendar-shortcode)
The The Events Calendar Shortcode & Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a…
2026-02-04
CVE-2025-68023: Addonify – Compare Products For WooCommerce <= 1.1.17 – Missing Authorization to Unauthenticated Settings Update (addonify-compare-products)
The Addonify – Compare Products For WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.1.17. This makes it possible for unauthenticated attackers to update plugin settings.
2026-02-04
CVE-2025-68841: TopperPack – Complete Elementor Addons, Theme & CPT Builder <= 1.2.1 – Unauthenticated Local File Inclusion (topper-pack)
The TopperPack – Complete Elementor Addons, Theme & CPT Builder plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.2.1. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be…
2026-02-04
CVE-2025-68853: Contact Manager <= 9.1 – Unauthenticated PHP Object Injection (contact-manager)
The Contact Manager plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 9.1 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional…
2026-02-04
CVE-2026-1319: Robin Image Optimizer <= 2.0.2 – Authenticated (Author+) Stored Cross-Site Scripting via Image Alternative Text Field (robin-image-optimizer)
The Robin Image Optimizer – Unlimited Image Optimization & WebP Converter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Alternative Text' field of a Media Library image in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level…
2026-02-04
CVE-2025-67979: WPForms Google Sheet Connector <= 4.0.1 – Authenticated (Subscriber+) Remote Code Execution (gsheetconnector-wpforms)
The GSheetConnector For WPForms – WPForms Google Sheets Integration (Real-Time Sync) plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute code on the server.
2026-02-04
CVE-2026-23976: Modula Image Gallery <= 2.13.4 – Authenticated (Author+) Stored Cross-Site Scripting (modula-best-grid-gallery)
The Modula Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.13.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an…
2026-02-04
CVE-2026-1268: Dynamic Widget Content <= 1.3.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Content Field (dynamic-widget-content)
The Dynamic Widget Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget content field in the Gutenberg editor sidebar in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to…
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet — inspecting, filtering, and blocking malicious traffic before it ever reaches
your application.