Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in HBSS Technologies MAIO – The new AI GEO / SEO tool maio-the-new-ai-geo-seo-tool allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MAIO – The new AI GEO / SEO tool: from n/a through <= 6.2.8.
AnalysisAI
Missing authorization in HBSS Technologies MAIO (AI GEO/SEO tool) WordPress plugin versions up to 6.2.8 allows unauthenticated remote attackers to modify data through incorrectly configured access control, resulting in integrity compromise without authentication requirements. The CVSS score of 5.3 reflects moderate risk with network-based attack vector and no user interaction needed, though EPSS exploitation probability remains very low at 0.02%.
Technical ContextAI
MAIO is a WordPress plugin (CPE: cpe:2.3:a:hbss_technologies:maio_-_the_new_ai_geo_/_seo_tool) that provides AI-powered geographic and SEO optimization features. The vulnerability stems from CWE-862 (Missing Authorization), which indicates the plugin fails to implement proper access control checks on sensitive operations. WordPress plugins inherently operate within the WordPress REST API and admin action handler framework; this vulnerability likely exploits inadequate capability checks (e.g., missing current_user_can() validation) on plugin endpoints or admin actions, allowing unauthenticated or lower-privileged users to invoke functions intended for administrators. The improper access control suggests the plugin exposes administrative or data-modification functionality without verifying user permissions at the application logic layer.
RemediationAI
Update MAIO - The new AI GEO / SEO tool to a version later than 6.2.8 (specific patched version number not independently confirmed in available data). WordPress administrators should navigate to Plugins > Installed Plugins, locate MAIO, and click Update if a newer version is available. For manual remediation pending patch availability, disable the MAIO plugin in WordPress and verify that no unauthenticated users or lower-privileged accounts have gained access to plugin features or data. Consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/maio-the-new-ai-geo-seo-tool/vulnerability/wordpress-maio-the-new-ai-geo-seo-tool-plugin-6-2-8-broken-access-control-vulnerability?_s_id=cve) for detailed patch release information and the NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-39697) for vendor-coordinated disclosure timeline.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20394
GHSA-x7j8-vvpf-q2cr