Skip to main content

AI Copilot WordPress Plugin EUVDEUVD-2026-43144

| CVE-2026-6804 MEDIUM
Missing Authorization (CWE-862)
2026-07-11 Wordfence GHSA-62q4-whmm-v2fm
5.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
7.3 HIGH

Draft post exposure constitutes C:L and forced unpublishing causes A:L; PR:N confirmed by both CVSS vector and description's explicit 'unauthenticated attackers' language.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 11, 2026 - 05:21 vuln.today
CVE Published
Jul 11, 2026 - 03:44 cve.org
MEDIUM 5.3

DescriptionCVE.org

The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.12. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to publish draft WordPress posts, exposing unpublished content, or unpublish live content, causing service disruption, by supplying arbitrary scenario IDs.

AnalysisAI

Authorization bypass in the AI Copilot - Content Generator WordPress plugin (by wupsales/AIWU) allows unauthenticated remote attackers to manipulate WordPress post publication states across all versions through 1.4.12. By supplying arbitrary scenario IDs to the plugin's workspace controller endpoint - which lacks any authorization verification - attackers can expose unpublished draft content or take live published posts offline, causing content disclosure and service disruption. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site with AI Copilot plugin active
Delivery
Send unauthenticated HTTP request to workspace controller endpoint
Exploit
Supply enumerated or guessed scenario ID
Execution
Bypass missing authorization check
Impact
Publish confidential draft content or unpublish live posts

Vulnerability AssessmentAI

Exploitation The AI Copilot - Content Generator plugin must be installed and activated on the target WordPress site (versions up to and including 1.4.12). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N scores 5.3 Medium, but this vector appears to understate the actual impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker enumerates a WordPress site running the AI Copilot - Content Generator plugin and submits crafted HTTP POST requests to the workspace controller endpoint, cycling through guessable or enumerable scenario IDs. With no authentication check in place, the controller executes the associated publish or unpublish action: the attacker either pulls confidential draft posts into public view or takes a live site's published pages offline en masse. …
Remediation An upstream fix has been committed to the plugin's WordPress.org repository (changeset: https://plugins.trac.wordpress.org/changeset?reponame=&old=3582369%40ai-copilot-content-generator&new=3582369%40ai-copilot-content-generator); however, an exact tagged patched release version is not independently confirmed from available data - update to any version above 1.4.12 once available in the WordPress plugin repository and verify the version in your dashboard. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43144 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy