Skip to main content

AIWU Chatbot Plugin CVE-2026-2993

| EUVDEUVD-2026-29389 HIGH
SQL Injection (CWE-89)
2026-05-12 Wordfence GHSA-8wr2-c6vh-58c4
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 08:46 vuln.today
CVE Published
May 12, 2026 - 07:48 nvd
HIGH 7.5

DescriptionCVE.org

The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.4.17 due to insufficient escaping on user supplied parameters and lack of sufficient preparation on the existing SQL query in the getListForTbl() function. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. NOTE: This issue is partially mitigated by a patch in version 1.4.11 that adds a nonce check for a nonce that is only available to administrators.

AnalysisAI

SQL injection in the AIWU AI Chatbot WordPress plugin (versions ≤1.4.17) allows remote unauthenticated attackers to extract sensitive database contents via the getListForTbl() function due to unsanitized user input in SQL queries. Partial mitigation exists in version 1.4.11+ through administrator-only nonce protection, but the underlying SQL injection vulnerability persists. CVSS 7.5 (High) reflects network-accessible unauthenticated exploitation with high confidentiality impact. Wordfence provides detailed vulnerable code references across multiple plugin files including controller.php, req.php, and model.php. No evidence of active exploitation (not in CISA KEV) at time of analysis.

Technical ContextAI

This is a classic SQL injection vulnerability (CWE-89) in a WordPress plugin's database query layer. The affected product 'AI Chatbot & Workflow Automation by AIWU' (CPE: cpe:2.3:a:wupsales:ai_chatbot_&_workflow_automation_by_aiwu) handles database operations through the getListForTbl() function in its model layer. The vulnerability stems from direct concatenation or interpolation of user-supplied HTTP parameters into SQL queries without proper escaping or use of prepared statements. WordPress provides $wpdb->prepare() for parameterized queries, but the plugin fails to use it consistently. The partial mitigation in 1.4.11 adds a WordPress nonce check that restricts access to certain admin endpoints, but this is authentication bypass prevention rather than input sanitization - the SQL injection payload can still execute if the nonce check is satisfied or bypassed. The references point to specific line numbers in controller.php (L104, L114, L132, L154, L157), req.php (L194), and model.php (L162) showing the vulnerable code patterns across the plugin architecture.

RemediationAI

WordPress site administrators should immediately update the AIWU AI Chatbot plugin to a version beyond 1.4.17 that fully addresses the SQL injection vulnerability, once released by the vendor. As of this analysis, no fully patched version has been confirmed - the vendor's 1.4.11 release only adds nonce authentication, which mitigates but does not eliminate the underlying CWE-89 flaw. Monitor the WordPress plugin repository and Wordfence advisories for a complete security release. Until a proper fix is available, implement these compensating controls: (1) If the chatbot functionality is not business-critical, deactivate and uninstall the plugin entirely - this eliminates all attack surface. (2) If plugin must remain active, restrict wp-admin access to trusted IP addresses via web application firewall rules or .htaccess directives, reducing the attack surface for obtaining administrator nonces. Trade-off: this breaks legitimate remote admin access and may interfere with WordPress mobile apps. (3) Deploy a WordPress security plugin with virtual patching capabilities (e.g., Wordfence, Sucuri) that can filter malicious SQL patterns in HTTP requests. Trade-off: may cause false positives requiring tuning. (4) Enable WordPress database activity logging to detect SQL injection attempts via unusual query patterns. Review the specific vulnerable code locations in controller.php, req.php, and model.php referenced at https://plugins.trac.wordpress.org/browser/ai-copilot-content-generator/ to understand your exposure profile.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-2993 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy