Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Incorrect Privilege Assignment vulnerability in Sergey AIWU allows Privilege Escalation.
This issue affects AIWU: from n/a through 1.4.17.
AnalysisAI
Privilege escalation in the AIWU (AI Copilot Content Generator) WordPress plugin by Sergey, affecting all versions up to and including 1.4.17, allows remote unauthenticated attackers to gain elevated privileges on a target WordPress site. The CVSS 9.8 score with AV:N/PR:N indicates no authentication is required and the attack can be carried out over the network against any site running a vulnerable installation. No public exploit identified at time of analysis, but the Patchstack reference indicates this was identified through their managed audit program for WordPress plugins.
Technical ContextAI
AIWU is a WordPress plugin marketed as an AI-driven content generator (registered in the Patchstack database under the slug 'ai-copilot-content-generator'). The root cause is classified as CWE-266 (Incorrect Privilege Assignment), which occurs when a product assigns a user or process a privilege that is greater than what is intended for their role. In the WordPress plugin context, this class of bug typically manifests when a plugin endpoint or capability check assigns elevated roles (e.g., administrator) to users based on attacker-controllable input, missing capability checks on AJAX/REST handlers, or insecure user-meta updates that bypass WordPress's role/capability API.
RemediationAI
No vendor-released patch identified at time of analysis - the Patchstack advisory lists the vulnerable range as 'n/a through 1.4.17' without naming a fixed version, so administrators should treat all currently published builds as vulnerable until a 1.4.18 (or later) release is confirmed at https://patchstack.com/database/wordpress/plugin/ai-copilot-content-generator/vulnerability/wordpress-aiwu-plugin-1-4-17-privilege-escalation-vulnerability. The most reliable compensating control is to deactivate and remove the AIWU plugin until a fixed version is published, which will eliminate the attack surface entirely at the cost of losing the AI content-generation feature. If the plugin must remain installed, restrict access to /wp-admin and the WordPress REST/AJAX endpoints (admin-ajax.php, wp-json/) via web-application firewall rules or IP allowlisting and audit the wp_users and wp_usermeta tables for unexpected administrator accounts or role grants; these controls reduce exposure but do not patch the underlying flaw and may break legitimate plugin functionality for non-allowlisted users.
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33649
GHSA-pfx8-r844-mqr9