Skip to main content

Ai Engine Pro EUVDEUVD-2026-20172

| CVE-2026-39506 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-9jvc-v7pv-fp43
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:40 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
4.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20172
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in Jordy Meow AI Engine (Pro) ai-engine-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Engine (Pro): from n/a through < 3.4.2.

AnalysisAI

Missing authorization controls in Jordy Meow AI Engine (Pro) WordPress plugin versions prior to 3.4.2 allow authenticated users to modify content they should not have permission to access due to incorrectly configured access control security levels. The vulnerability requires authenticated access (CVSS PR:L) and affects integrity but not confidentiality or availability. With an EPSS score of 0.02% (4th percentile) and no evidence of active exploitation, this represents a low real-world risk despite the authentication bypass tag, primarily affecting multi-user WordPress installations where privilege escalation is possible.

Technical ContextAI

The vulnerability stems from a broken access control implementation (CWE-862) in the AI Engine (Pro) plugin, a WordPress extension designed for AI-powered content generation and management. The plugin fails to properly validate whether an authenticated user has the requisite permissions before allowing them to perform certain actions, resulting in privilege escalation within the WordPress permission model. The issue manifests as incorrectly configured Access Control Security Levels, meaning the plugin's authorization checks either fail to execute, apply insufficient validation, or trust user-supplied input without proper capability verification against WordPress role definitions.

RemediationAI

Update the AI Engine (Pro) plugin to version 3.4.2 or later immediately. Site administrators should navigate to their WordPress plugin dashboard, locate AI Engine (Pro), and click Update. Verify the update succeeds and the plugin is active. For environments unable to update immediately, restrict plugin access through WordPress user role management by removing unnecessary capabilities from Editor and Author roles until the patch is applied. Consult the Patchstack vulnerability advisory at https://patchstack.com/database/Wordpress/Plugin/ai-engine-pro/vulnerability/wordpress-ai-engine-pro-plugin-3-4-2-broken-access-control-vulnerability for detailed remediation guidance and to confirm patch availability.

Share

EUVD-2026-20172 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy