Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in Jordy Meow AI Engine (Pro) ai-engine-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Engine (Pro): from n/a through < 3.4.2.
AnalysisAI
Missing authorization controls in Jordy Meow AI Engine (Pro) WordPress plugin versions prior to 3.4.2 allow authenticated users to modify content they should not have permission to access due to incorrectly configured access control security levels. The vulnerability requires authenticated access (CVSS PR:L) and affects integrity but not confidentiality or availability. With an EPSS score of 0.02% (4th percentile) and no evidence of active exploitation, this represents a low real-world risk despite the authentication bypass tag, primarily affecting multi-user WordPress installations where privilege escalation is possible.
Technical ContextAI
The vulnerability stems from a broken access control implementation (CWE-862) in the AI Engine (Pro) plugin, a WordPress extension designed for AI-powered content generation and management. The plugin fails to properly validate whether an authenticated user has the requisite permissions before allowing them to perform certain actions, resulting in privilege escalation within the WordPress permission model. The issue manifests as incorrectly configured Access Control Security Levels, meaning the plugin's authorization checks either fail to execute, apply insufficient validation, or trust user-supplied input without proper capability verification against WordPress role definitions.
RemediationAI
Update the AI Engine (Pro) plugin to version 3.4.2 or later immediately. Site administrators should navigate to their WordPress plugin dashboard, locate AI Engine (Pro), and click Update. Verify the update succeeds and the plugin is active. For environments unable to update immediately, restrict plugin access through WordPress user role management by removing unnecessary capabilities from Editor and Author roles until the patch is applied. Consult the Patchstack vulnerability advisory at https://patchstack.com/database/Wordpress/Plugin/ai-engine-pro/vulnerability/wordpress-ai-engine-pro-plugin-3-4-2-broken-access-control-vulnerability for detailed remediation guidance and to confirm patch availability.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20172
GHSA-9jvc-v7pv-fp43