AI-Powered CVE Analysis for WordPress Plugins
We use AI to automate the differential analysis between vulnerable and patched plugin versions to understand and interpret the security issues. What we share here is research-grade proof of concept demonstrations that are then fed back into our endpoint firewall service.
WordPress Proof of Concepts
AI-assisted vulnerability analysis with PoC demonstration
May 22, 2026
CVE-2026-5293: 診断ジェネレータ作成プラグイン <= 1.4.16 – Authenticated (Subscriber+) Stored Cross-Site Scripting via 'js' Parameter (os-diagnosis-generator)
CVE-2026-5293 affects the Os Diagnosis Generator plugin for WordPress (up to v1.4.16) with a medium severity CVSS score of 6.4. Authenticated users can exploit stored XSS vulnerabilities; patching is recommended.
May 22, 2026
CVE-2026-8073: Kirki <= 6.0.6 – Unauthenticated Limited Arbitrary File Read and Deletion via downloadZIP (kirki)
CVE-2026-8073 affects the Kirki plugin for WordPress (up to version 6.0.6) with a CVSS score of 7.5. Unauthenticated attackers can delete files in the uploads directory. Update to version 6.0.7 to mitigate this risk.
May 22, 2026
CVE-2026-45442: The Ultimate Video Player For WordPress – by Presto Player <= 4.1.3 – Missing Authorization (presto-player)
CVE-2026-45442 affects Presto Player plugin versions up to 4.1.3, allowing unauthorized access to private media. Upgrade to version 4.1.4 to mitigate this medium severity vulnerability.
May 22, 2026
CVE-2026-8096: Kirki <= 6.0.6 – Missing Authorization to Authenticated (Subscriber+) Sensitive Form Submission Data Exposure via 'kirki_wp_admin_get_apis' Action (kirki)
CVE-2026-8096 affects the Kirki plugin (up to version 6.0.6) with a medium severity score of 6.5. Authenticated users can bypass authorization and access sensitive form data. Upgrade to version 6.0.7 to mitigate this risk.
May 22, 2026
CVE-2026-42679: Classified Listing – AI-Powered Classified ads & Business Directory Plugin <= 5.3.8 – Authenticated (Subscriber+) Arbitrary File Download (classified-listing)
CVE-2026-42679 affects the Classified Listing plugin for WordPress (up to version 5.3.8) with a medium severity (CVSS 4.3). Patch to version 5.3.9 to mitigate the risk of unauthorized file access.
May 22, 2026
CVE-2026-42680: Contest Gallery Pro <= 29.0.1 – Unauthenticated Privilege Escalation (contest-gallery-pro)
CVE-2026-42680 is a critical privilege escalation vulnerability in the Contest Gallery Pro plugin for WordPress, affecting versions up to 29.0.1. Unauthenticated attackers can gain admin access; patch immediately.
May 22, 2026
CVE-2026-45438: Smart Coupons For WooCommerce Coupons < 2.3.0 – Missing Authorization (wt-smart-coupons-for-woocommerce)
CVE-2026-45438 affects the Wt Smart Coupons For WooCommerce plugin (up to version 2.3.0) with a CVSS score of 5.3. This medium-severity remote code execution vulnerability allows unauthorized actions; patch immediately.
May 22, 2026
CVE-2026-42675: Hydra Booking — Appointment Scheduling & Booking Calendar <= 1.1.41 – Missing Authorization (hydra-booking)
CVE-2026-42675 affects the Hydra Booking plugin for WordPress (up to version 1.1.41) with a CVSS score of 5.3. Ensure you update to 1.1.42 to mitigate unauthorized access risks.
May 22, 2026
CVE-2026-42678: GiveWP – Donation Plugin and Fundraising Platform <= 4.14.5 – Unauthenticated Stored Cross-Site Scripting (give)
CVE-2026-42678 affects the GiveWP plugin (up to version 4.14.5) with a high severity CVSS score of 7.2 due to stored XSS vulnerabilities. Upgrade to version 4.14.6 to mitigate risks from potential script injections.
May 22, 2026
CVE-2026-42677: WP Document Revisions <= 3.8.1 – Missing Authorization (wp-document-revisions)
CVE-2026-42677 affects the WP Document Revisions plugin (up to version 3.8.1) with a medium severity CVSS score of 5.3. Unauthenticated attackers can exploit this vulnerability, so updating to version 4.0.0 is crucial for protection.
May 22, 2026
CVE-2026-42676: Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred <= 3.0.4 – Authenticated (Subscriber+) Stored Cross-Site Scripting (mycred)
CVE-2026-42676 affects the myCred plugin for WordPress (up to version 3.0.4) with a medium severity CVSS score of 6.4. Users should upgrade to 3.0.5 to mitigate the Stored Cross-Site Scripting risk.
May 22, 2026
CVE-2026-42672: WP Directory Kit <= 1.5.1 – Unauthenticated SQL Injection (wpdirectorykit)
CVE-2026-42672 reveals a high-severity SQL injection vulnerability in the WP Directory Kit plugin for WordPress (up to 1.5.1). Unauthenticated attackers can exploit this flaw to access sensitive database information. Patch immediately.
May 22, 2026
CVE-2026-42674: Advanced Access Manager – Access Governance for WordPress <= 7.1.0 – Missing Authorization (advanced-access-manager)
CVE-2026-42674 affects the Advanced Access Manager plugin (up to v7.1.0) with a CVSS score of 5.3. Unauthenticated attackers can exploit a missing capability check. Update to v7.1.1 to mitigate this risk.
May 21, 2026
CVE-2026-7615: Widget Context <= 1.3.3 – Cross-Site Request Forgery to Settings Update via 'wl' Parameter (widget-context)
CVE-2026-7615 affects the Widget Context plugin for WordPress (up to v1.3.3) with a medium severity (CVSS 4.3) CSRF vulnerability. Update to v1.4.0 to mitigate the risk of unauthorized widget setting changes.
May 21, 2026
CVE-2026-8679: AudioIgniter Music Player <= 2.0.2 – Unauthenticated Insecure Direct Object Reference to 'audioigniter_playlist_id' Parameter (audioigniter)
CVE-2026-8679 affects the AudioIgniter plugin (v2.0.2) with a CVSS score of 7.5. Unauthenticated attackers can access sensitive playlist metadata. Update to v2.0.3 to mitigate this vulnerability.
May 21, 2026
CVE-2026-8692: Vedrixa Forms <= 1.1.1 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Form Structure Modification via wefb_save_form_structure AJAX Action (vedrixa-forms-registration-builder)
CVE-2026-8692 affects Vedrixa Forms Registration Builder plugin versions up to 1.1.1, allowing authenticated users to modify forms. Update to version 1.2.0 to mitigate this medium severity authentication bypass.
May 21, 2026
CVE-2026-8684: MotoPress Hotel Booking <= 6.0.1 – Missing Authorization to Unauthenticated Arbitrary Booking Notes Modification via mphb_update_booking_notes AJAX Action (motopress-hotel-booking-lite)
CVE-2026-8684 affects the Motopress Hotel Booking Lite plugin (up to version 6.0.1) with a CVSS score of 5.3. Unauthenticated users can overwrite booking notes; update to version 6.0.2 to mitigate this risk.
May 21, 2026
CVE-2026-7636: Slider by Soliloquy <= 2.8.1 – Authenticated (Subscriber+) Information Disclosure via REST API Endpoint (soliloquy-lite)
CVE-2026-7636 affects the Soliloquy Lite plugin (up to v2.8.1) with a CVSS score of 4.3. Authenticated users can access sensitive draft slider metadata. Update to v2.8.2 to mitigate this risk.
May 21, 2026
CVE-2026-3481: WP Blockade <= 0.9.14 – Reflected Cross-Site Scripting via 'shortcode' Parameter (wp-blockade)
CVE-2026-3481 affects the WP Blockade plugin (up to v0.9.14) with a CVSS score of 6.1. This medium severity XSS vulnerability allows authenticated users to inject scripts. Update to the patched version to mitigate risks.
May 21, 2026
CVE-2026-4070: Alfie <= 1.2.1 – Cross-Site Request Forgery to Feed Deletion via 'delete' Parameter (alfie-the-productfeedtool-wp-plugin)
CVE-2026-4070 affects the Alfie The Productfeedtool WP Plugin (up to version 1.2.1) with a medium severity CVSS score of 4.3. Unauthenticated attackers can exploit this CSRF vulnerability to delete plugin feed data. Patching is essential.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet — inspecting, filtering, and blocking malicious traffic before it ever reaches
your application.