AI-Powered CVE Analysis for WordPress Plugins
We use AI to automate the differential analysis between vulnerable and patched plugin versions to understand and interpret the security issues. What we share here is research-grade proof of concept demonstrations that are then fed back into our endpoint firewall service.
WordPress Proof of Concepts
AI-assisted vulnerability analysis with PoC demonstration
May 21, 2026
CVE-2026-9011: Ditty <= 3.1.65 – Missing Authorization to Unauthenticated Sensitive Information Disclosure via ditty_init AJAX Action (ditty-news-ticker)
CVE-2026-9011 affects the Ditty News Ticker plugin (up to version 3.1.65) with a CVSS score of 7.5. This high-severity authentication bypass allows unauthenticated users to access non-public content. Update to version 3.1.66 to mitigate.
May 21, 2026
CVE-2026-9104: Draft List <= 2.6.3 – Authenticated (Author+) Stored Cross-Site Scripting via Draft Post Title (simple-draft-list)
CVE-2026-9104 affects the Simple Draft List plugin for WordPress (up to version 2.6.3) with a medium severity (CVSS 6.4) stored XSS vulnerability. Update to version 2.6.4 to mitigate risks from authenticated attacks.
May 21, 2026
CVE-2026-9018: Easy Elements for Elementor – Addons & Website Templates <= 1.4.5 – Unauthenticated Privilege Escalation via 'custom_meta' Parameter (easy-elements)
CVE-2026-9018 affects Easy Elements plugin versions up to 1.4.5, allowing unauthenticated privilege escalation with a CVSS score of 8.8. Ensure you update to the patched version to mitigate this risk.
May 21, 2026
CVE-2026-7798: FluentCRM <= 2.9.87 – Unauthenticated Blind Server-Side Request Forgery via 'SubscribeURL' Parameter (fluent-crm)
CVE-2026-7798 affects the Fluent Crm plugin (up to version 2.9.87) with a medium severity (CVSS 5.4) Blind SSRF vulnerability. Update to version 3.0.0 to mitigate risks from unauthenticated attacks.
May 21, 2026
CVE-2026-7509: KIA Subtitle <= 4.0.1 – [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] (kia-subtitle)
CVE-2026-7509 affects the KIA Subtitle plugin (up to 4.0.1) with a medium severity (CVSS 6.4) Stored XSS vulnerability. Users should update to version 4.0.2 to mitigate risks from potential script injections.
May 21, 2026
CVE-2026-7249: Location Weather <= 3.0.2 – Missing Authorization to Authenticated (Contributor+) Block Settings Modification and Cache Purging (location-weather)
CVE-2026-7249 affects the Location Weather plugin for WordPress (versions
May 21, 2026
CVE-2026-6864: CBX 5 Star Rating & Review <= 1.0.7 – Reflected Cross-Site Scripting via 'page' Parameter (cbxscratingreview)
CVE-2026-6864 affects the CBX 5 Star Rating & Review plugin for WordPress (up to v1.0.7) with a medium severity (CVSS 6.1) XSS vulnerability. Upgrade to v1.0.8 to mitigate risks from potential script injection.
May 21, 2026
CVE-2026-4834: WP ERP Pro <= 1.5.1 – Unauthenticated SQL Injection via 'search_key' Parameter (erp-pro)
CVE-2026-4834 affects the WP ERP Pro plugin (up to v1.5.1) with a high severity CVSS score of 7.5. This SQL injection vulnerability allows unauthenticated attackers to access sensitive data. Update to the patched version to mitigate risks.
May 21, 2026
CVE-2026-6555: ProSolution WP Client <= 2.0.0 – Unauthenticated Arbitrary File Upload via 'files' (prosolution-wp-client)
CVE-2026-6555 affects the ProSolution WP Client plugin (up to 2.0.0) with a critical CVSS score of 9.8. Unauthenticated attackers can upload malicious files. Update to version 2.0.1 to mitigate this vulnerability.
May 21, 2026
CVE-2026-4843: GSheet For Woo Importer <= 2.3.1 – Missing Authorization to Authenticated (Subscriber+) Plugin Settings Reset (import-products-from-gsheet-for-woo-importer)
CVE-2026-4843 affects the GSheet For Woo Importer plugin for WordPress (up to v2.3.1) with a CVSS score of 4.3. Patch to v2.4.1 to prevent unauthorized data loss by authenticated users.
May 21, 2026
CVE-2026-6960: BookingPress Pro <= 5.6 – Unauthenticated Arbitrary File Upload via Signature Custom Field (bookingpress-appointment-booking-pro)
CVE-2026-6960 affects BookingPress Appointment Booking Pro versions up to 5.6, allowing unauthenticated file uploads with a CVSS score of 9.8. Immediate patching is essential to prevent potential remote code execution.
May 21, 2026
CVE-2026-6394: Nexa Blocks <= 1.1.1 – Unauthenticated Blind Server-Side Request Forgery via 'demo_json_file' Parameter (nexa-blocks)
CVE-2026-6394 affects the Nexa Blocks plugin for WordPress (up to v1.1.1), allowing unauthenticated SSRF attacks. Users should patch to mitigate risks of exposing internal services.
May 21, 2026
CVE-2026-6391: Sentence To SEO (keywords, description and tags) <= 1.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Page Parameters (sentence-to-seo)
CVE-2026-6391 affects the Sentence To SEO plugin for WordPress (version 1.0 and earlier) with a CVSS score of 6.1. Ensure to patch to mitigate the risk of Cross-Site Request Forgery and potential XSS attacks.
May 20, 2026
CVE-2026-1543: Avada (Fusion) Builder <= 3.15.2 – Authenticated (Subscriber+) Stored Cross-Site Scripting via Multiple Shortcodes (fusion-builder)
CVE-2026-1543 affects the Fusion Builder plugin for WordPress (up to v3.15.2) with a CVSS score of 6.4. Authenticated users can exploit stored XSS vulnerabilities, so ensure you update to the patched version to mitigate risks.
May 20, 2026
CVE-2026-1881: Broadstreet <= 1.52.2 – Authenticated (Subscriber+) Private Post Meta Disclosure via get_sponsored_meta (broadstreet)
CVE-2026-1881 affects the Broadstreet plugin for WordPress (up to version 1.52.2) with a medium severity CVSS score of 4.3. Authenticated attackers can access private post metadata; update to version 1.53.2 to mitigate.
May 20, 2026
CVE-2026-6279: Avada (Fusion) Builder <= 3.15.2 – Unauthenticated Remote Code Execution via PHP Function Injection via 'render_logics' Shortcode Attribute via Widget AJAX Handler (fusion-builder)
CVE-2026-6279 affects the Fusion Builder plugin for WordPress (up to version 3.15.2) with a critical CVSS score of 9.8. Unauthenticated remote code execution is possible; patching is essential to mitigate risks.
May 20, 2026
CVE-2026-5118: Divi Form Builder <= 5.1.2 – Unauthenticated Privilege Escalation via 'role' (divi-form-builder)
CVE-2026-5118 affects the Divi Form Builder plugin (up to version 5.1.2) with a critical CVSS score of 9.8, allowing unauthenticated users to escalate privileges. Patch immediately to prevent unauthorized admin account creation.
May 20, 2026
CVE-2026-8685: Infility Global <= 2.15.16 – Authenticated (Subscriber+) SQL Injection via 'orderby' Parameter (infility-global)
CVE-2026-8685 affects the Infility Global plugin for WordPress (up to v2.15.16) with a medium severity (CVSS 6.5) SQL injection vulnerability. Authenticated users can exploit it to access sensitive data; patching is recommended.
May 20, 2026
CVE-2026-4811: WPB Floating Menu or Categories – Sticky Floating Side Menu & Categories with Icons <= 1.0.8 – Authenticated (Editor+) Stored Cross-Site Scripting via 'Icon CSS Class' Category Field (wpb-floating-menu-or-categories)
CVE-2026-4811 affects the WPB Floating Menu or Categories plugin (up to v1.0.8) with a medium severity (CVSS 4.9) XSS vulnerability. Update to v1.0.9 to mitigate risks from authenticated attacks.
May 20, 2026
CVE-2026-8423: JaviBola Custom Theme Test <= 2.0.5 – Cross-Site Request Forgery (javibola-custom-theme)
CVE-2026-8423 affects the JaviBola Custom Theme plugin for WordPress (up to v2.0.5) with a medium severity (CVSS 4.3) CSRF vulnerability. Ensure to patch or implement WAF rules to mitigate potential theme changes by attackers.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet — inspecting, filtering, and blocking malicious traffic before it ever reaches
your application.