Skip to main content

AIWU AI Copilot CVE-2026-6803

| EUVDEUVD-2026-43134 MEDIUM
Missing Authorization (CWE-862)
2026-07-11 Wordfence GHSA-cvg5-h6q6-299w
5.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
8.2 HIGH

Mass deletion of all records from any plugin table warrants I:H over I:L; A:L reflects loss of plugin functionality; PR:N confirmed by wp_ajax_nopriv_ hook registration.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 11, 2026 - 05:09 vuln.today
CVE Published
Jul 11, 2026 - 03:44 cve.org
MEDIUM 5.3

DescriptionCVE.org

The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.12. This is due to missing capability checks and nonce verification on AJAX actions registered under both wp_ajax_ and wp_ajax_nopriv_ hooks, as the base controller's getPermissions() returns an empty array and neither removeGroup nor clear are added to getNoncedMethods(), causing the authorization gate to unconditionally return true for these actions. This makes it possible for unauthenticated attackers to delete specific records by ID or delete all records from any module's database table by unauthenticated attackers.

AnalysisAI

Unauthenticated mass data deletion in the AI Copilot - Content Generator WordPress plugin (all versions through 1.4.12) exposes sites to complete wipeout of plugin-managed database records by any remote visitor. The vulnerability stems from a permanently open authorization gate: the base controller's getPermissions() returns an empty array causing the auth check to unconditionally pass, while the removeGroup and clear AJAX actions are excluded from getNoncedMethods(), bypassing nonce verification entirely. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site with plugin active
Delivery
Send unauthenticated POST to wp-admin/admin-ajax.php
Exploit
Specify removeGroup or clear AJAX action
Execution
Auth gate passes unconditionally (getPermissions returns empty array)
Persist
No nonce checked (action absent from getNoncedMethods)
Impact
All target module database records deleted

Vulnerability AssessmentAI

Exploitation The WordPress site must have the AI Copilot - Content Generator plugin installed and activated in versions 1.4.12 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) understates the integrity impact: the description explicitly allows deletion of ALL records from any module's database table, not merely specific limited modifications - this warrants I:H rather than I:L. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker sends a crafted HTTP POST request to a target WordPress site's wp-admin/admin-ajax.php endpoint with the action parameter set to the plugin's removeGroup or clear handler. The authorization gate returns true unconditionally and no nonce is validated, so the server processes the deletion request without any identity check. …
Remediation A fix commit is referenced via the WordPress Plugin SVN changeset (https://plugins.trac.wordpress.org/changeset?reponame=&old=3582369%40ai-copilot-content-generator&new=3582369%40ai-copilot-content-generator), though the exact patched release version number is not independently confirmed from the provided data - upstream fix available (commit/changeset); released patched version not independently confirmed. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-6803 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy