Skip to main content

AIWU WordPress Plugin CVE-2026-48879

| EUVDEUVD-2026-33649 CRITICAL
Incorrect Privilege Assignment (CWE-266)
2026-06-01 audit@patchstack.com GHSA-pfx8-r844-mqr9
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 15:31 vuln.today

DescriptionCVE.org

Incorrect Privilege Assignment vulnerability in Sergey AIWU allows Privilege Escalation.

This issue affects AIWU: from n/a through 1.4.17.

AnalysisAI

Privilege escalation in the AIWU (AI Copilot Content Generator) WordPress plugin by Sergey, affecting all versions up to and including 1.4.17, allows remote unauthenticated attackers to gain elevated privileges on a target WordPress site. The CVSS 9.8 score with AV:N/PR:N indicates no authentication is required and the attack can be carried out over the network against any site running a vulnerable installation. No public exploit identified at time of analysis, but the Patchstack reference indicates this was identified through their managed audit program for WordPress plugins.

Technical ContextAI

AIWU is a WordPress plugin marketed as an AI-driven content generator (registered in the Patchstack database under the slug 'ai-copilot-content-generator'). The root cause is classified as CWE-266 (Incorrect Privilege Assignment), which occurs when a product assigns a user or process a privilege that is greater than what is intended for their role. In the WordPress plugin context, this class of bug typically manifests when a plugin endpoint or capability check assigns elevated roles (e.g., administrator) to users based on attacker-controllable input, missing capability checks on AJAX/REST handlers, or insecure user-meta updates that bypass WordPress's role/capability API.

RemediationAI

No vendor-released patch identified at time of analysis - the Patchstack advisory lists the vulnerable range as 'n/a through 1.4.17' without naming a fixed version, so administrators should treat all currently published builds as vulnerable until a 1.4.18 (or later) release is confirmed at https://patchstack.com/database/wordpress/plugin/ai-copilot-content-generator/vulnerability/wordpress-aiwu-plugin-1-4-17-privilege-escalation-vulnerability. The most reliable compensating control is to deactivate and remove the AIWU plugin until a fixed version is published, which will eliminate the attack surface entirely at the cost of losing the AI content-generation feature. If the plugin must remain installed, restrict access to /wp-admin and the WordPress REST/AJAX endpoints (admin-ajax.php, wp-json/) via web-application firewall rules or IP allowlisting and audit the wp_users and wp_usermeta tables for unexpected administrator accounts or role grants; these controls reduce exposure but do not patch the underlying flaw and may break legitimate plugin functionality for non-allowlisted users.

Share

CVE-2026-48879 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy