AI-Powered CVE Analysis for WordPress Plugins
We use AI to automate the differential analysis between vulnerable and patched plugin versions to understand and interpret the security issues. What we share here is research-grade proof of concept demonstrations that are then fed back into our endpoint firewall service.
WordPress Proof of Concepts
AI-assisted vulnerability analysis with PoC demonstration
2026-03-06
CVE-2026-2721: MailArchiver <= 4.4.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via Settings (mailarchiver)
The MailArchiver plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user…
2026-03-06
CVE-2026-1569: Wueen <= 0.2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Plugin's Shortcode (wueen)
The Wueen plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `wueen-blocket` shortcode in all versions up to, and including, 0.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages…
2026-03-06
CVE-2026-1574: MyQtip – easy qTip2 <= 2.0.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode (myqtip-easy-qtip2)
The MyQtip – easy qTip2 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `myqtip` shortcode in all versions up to, and including, 2.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web…
2026-03-06
CVE-2025-14353: ZIP Code Based Content Protection <= 1.0.2 – Unauthenticated SQL Injection via 'zipcode' Parameter (zip-code-based-content-protection)
The ZIP Code Based Content Protection plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 1.0.2 via the 'zipcode' parameter. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to…
2026-03-06
CVE-2026-1823: Consensus Embed <= 1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'src' Shortcode Attribute (consensus-embed)
The Consensus Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's consensus shortcode in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in…
2026-03-06
CVE-2026-1650: MDJM Event Management <= 1.7.8.1 – Missing Authorization to Unauthenticated Arbitrary Custom Event Field Deletion (mobile-dj-manager)
The MDJM Event Management plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'custom_fields_controller' function in all versions up to, and including, 1.7.8.1. This makes it possible for unauthenticated attackers to delete arbitrary custom event fields via the 'delete_custom_field' and 'id' parameters.
2026-03-06
CVE-2025-8899: Paid Videochat Turnkey Site – HTML5 PPV Live Webcams <= 7.3.20 – Authenticated (Author+) Privilege Escalation (ppv-live-webcams)
The Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.3.20. This is due to videowhisper_register_form() function not restricting user roles that can be set during registration. This makes it possible for authenticated attackers, with Author-level access and above, to…
2026-03-06
CVE-2026-1820: Media Library Alt Text Editor <= 1.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'post_id' Shortcode Attribute (media-library-alt-text-editor)
The Media Library Alt Text Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bvmalt_sc_div_update_alt_text' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary…
2026-03-06
CVE-2026-1805: DA Media GigList <= 1.9.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'list_title' Shortcode Attribute (damedia-giglist)
The DA Media GigList plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's damedia_giglist shortcode in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts…
2026-03-06
CVE-2026-1825: Show YouTube video <= 1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute (show-youtube-video)
The Show YouTube video plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'syv' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts…
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet — inspecting, filtering, and blocking malicious traffic before it ever reaches
your application.