Skip to main content

AIWU Plugin EUVDEUVD-2026-43429

| CVE-2026-59515 CRITICAL
SQL Injection (CWE-89)
2026-07-13 Patchstack
9.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
6.5 MEDIUM

Network SQLi with low complexity; PR:L reflects the typical low-privilege auth for Patchstack plugin SQLi, scope unchanged, high confidentiality read but no integrity/availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:N/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 10:23 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
CRITICAL 9.3

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Sergey AIWU ai-copilot-content-generator allows Blind SQL Injection.This issue affects AIWU: from n/a through <= 1.5.4.

AnalysisAI

Blind SQL injection in the Sergey "AIWU" ai-copilot-content-generator WordPress plugin (all versions through 1.5.4) allows remote attackers to inject arbitrary SQL into backend database queries, per the CVSS:3.1 vector without requiring authentication or user interaction. Because the scope is changed and confidentiality impact is High, an attacker can exfiltrate sensitive database contents (WordPress user credentials, secrets, PII) via time- or boolean-based blind techniques. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify site running AIWU plugin
Delivery
Send crafted request to vulnerable parameter
Exploit
Inject blind SQL payload
Execution
Infer data via boolean/timing responses
Impact
Extract credentials and secrets from database

Vulnerability AssessmentAI

Exploitation The target must be a WordPress site running the AIWU ai-copilot-content-generator plugin at version 1.5.4 or earlier, with the vulnerable plugin request handler reachable over the network. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L, base 9.3) describes an unauthenticated, network-reachable, low-complexity attack with changed scope and high confidentiality impact - signals that justify a Critical rating. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends crafted HTTP requests to the vulnerable AIWU plugin endpoint on a public WordPress site, embedding blind SQL injection payloads (boolean or time-based) into an unsanitized parameter. By observing response differences or induced delays, the attacker iteratively extracts wp_users password hashes and secret keys from the database, then cracks or reuses them to escalate access. …
Remediation No vendor-released patch version is identified at time of analysis, so no exact upgrade target can be cited from the input; monitor the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/ai-copilot-content-generator/vulnerability/wordpress-aiwu-plugin-1-5-4-sql-injection-vulnerability) and the WordPress.org plugin page for a release above 1.5.4 and apply it immediately when available. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: disable and deactivate the ai-copilot-content-generator plugin across all WordPress installations and immediately reset all WordPress administrator credentials and database user passwords. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43429 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy