Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Draft post exposure constitutes C:L and forced unpublishing causes A:L; PR:N confirmed by both CVSS vector and description's explicit 'unauthenticated attackers' language.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.12. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to publish draft WordPress posts, exposing unpublished content, or unpublish live content, causing service disruption, by supplying arbitrary scenario IDs.
AnalysisAI
Authorization bypass in the AI Copilot - Content Generator WordPress plugin (by wupsales/AIWU) allows unauthenticated remote attackers to manipulate WordPress post publication states across all versions through 1.4.12. By supplying arbitrary scenario IDs to the plugin's workspace controller endpoint - which lacks any authorization verification - attackers can expose unpublished draft content or take live published posts offline, causing content disclosure and service disruption. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The AI Copilot - Content Generator plugin must be installed and activated on the target WordPress site (versions up to and including 1.4.12). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N scores 5.3 Medium, but this vector appears to understate the actual impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker enumerates a WordPress site running the AI Copilot - Content Generator plugin and submits crafted HTTP POST requests to the workspace controller endpoint, cycling through guessable or enumerable scenario IDs. With no authentication check in place, the controller executes the associated publish or unpublish action: the attacker either pulls confidential draft posts into public view or takes a live site's published pages offline en masse. … |
| Remediation | An upstream fix has been committed to the plugin's WordPress.org repository (changeset: https://plugins.trac.wordpress.org/changeset?reponame=&old=3582369%40ai-copilot-content-generator&new=3582369%40ai-copilot-content-generator); however, an exact tagged patched release version is not independently confirmed from available data - update to any version above 1.4.12 once available in the WordPress plugin repository and verify the version in your dashboard. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Ai Copilot Content Generator
View allSame weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43144
GHSA-62q4-whmm-v2fm