Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Network SQLi with low complexity; PR:L reflects the typical low-privilege auth for Patchstack plugin SQLi, scope unchanged, high confidentiality read but no integrity/availability impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Sergey AIWU ai-copilot-content-generator allows Blind SQL Injection.This issue affects AIWU: from n/a through <= 1.5.4.
AnalysisAI
Blind SQL injection in the Sergey "AIWU" ai-copilot-content-generator WordPress plugin (all versions through 1.5.4) allows remote attackers to inject arbitrary SQL into backend database queries, per the CVSS:3.1 vector without requiring authentication or user interaction. Because the scope is changed and confidentiality impact is High, an attacker can exfiltrate sensitive database contents (WordPress user credentials, secrets, PII) via time- or boolean-based blind techniques. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target must be a WordPress site running the AIWU ai-copilot-content-generator plugin at version 1.5.4 or earlier, with the vulnerable plugin request handler reachable over the network. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L, base 9.3) describes an unauthenticated, network-reachable, low-complexity attack with changed scope and high confidentiality impact - signals that justify a Critical rating. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends crafted HTTP requests to the vulnerable AIWU plugin endpoint on a public WordPress site, embedding blind SQL injection payloads (boolean or time-based) into an unsanitized parameter. By observing response differences or induced delays, the attacker iteratively extracts wp_users password hashes and secret keys from the database, then cracks or reuses them to escalate access. … |
| Remediation | No vendor-released patch version is identified at time of analysis, so no exact upgrade target can be cited from the input; monitor the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/ai-copilot-content-generator/vulnerability/wordpress-aiwu-plugin-1-5-4-sql-injection-vulnerability) and the WordPress.org plugin page for a release above 1.5.4 and apply it immediately when available. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: disable and deactivate the ai-copilot-content-generator plugin across all WordPress installations and immediately reset all WordPress administrator credentials and database user passwords. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43429