AI-Powered CVE Analysis for WordPress Plugins
We use AI to automate the differential analysis between vulnerable and patched plugin versions to understand and interpret the security issues. What we share here is research-grade proof of concept demonstrations that are then fed back into our endpoint firewall service.
WordPress Proof of Concepts
AI-assisted vulnerability analysis with PoC demonstration
2026-01-22
CVE-2025-14892: Prime Listing Manager <= 1.1 – Unauthenticated Privilege Escalation via Account Takeover (prime-listing-manager)
The Prime Listing Manager plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and…
2026-01-22
CVE-2026-24561: FluentBoards <= 1.91.1 – Missing Authorization (fluent-boards)
The FluentBoards – Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.91.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized…
2026-01-22
CVE-2025-67964: Homey Core <= 2.4.3 – Unauthenticated Stored Cross-Site Scripting (homey-core)
The Homey Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.4.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
2026-01-22
CVE-2025-69188: Fitness Trainer <= 1.7.1 – Missing Authorization (fitness-trainer)
The Fitness Trainer plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.7.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.
2026-01-22
CVE-2026-24558: ABG Rich Pins <= 1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting (abg-rich-pins)
The ABG Rich Pins plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an…
2026-01-22
CVE-2025-69192: Real Estate Pro <= 2.1.5 – Missing Authorization (real-estate-pro)
The Real Estate Pro plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.1.5. This makes it possible for unauthenticated attackers to perform an unauthorized action.
2026-01-22
CVE-2025-69182: Institutions Directory <= 1.3.4 – Authenticated (Subscriber+) Privilege Escalation (institutions-directory)
The Institutions Directory plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.
2026-01-22
CVE-2025-67967: Lawyer Directory <= 1.3.3 – Missing Authorization (lawyer-directory)
The Lawyer Directory plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.
2026-01-22
CVE-2025-69181: Lawyer Directory <= 1.3.4 – Missing Authorization (lawyer-directory)
The Lawyer Directory plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.3.4. This makes it possible for unauthenticated attackers to perform an unauthorized action.
2026-01-22
CVE-2025-69184: Institutions Directory <= 1.3.4 – Missing Authorization (institutions-directory)
The Institutions Directory plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.3.4. This makes it possible for unauthenticated attackers to perform an unauthorized action.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet — inspecting, filtering, and blocking malicious traffic before it ever reaches
your application.