Skip to main content

Ai Copilot

1 CVEs product

Monthly

CVE-2026-9810 CRITICAL POC PATCH Act Now

Privilege escalation and full site takeover affects the AI Copilot WordPress plugin before 1.5.4, which fails to bind OAuth access tokens to a specific WordPress user and treats any valid token as an administrator session. An unauthenticated attacker who completes the plugin's public OAuth flow can invoke privileged MCP (Model Context Protocol) tools as an administrator, creating new users and escalating roles. Publicly available exploit code exists and the flaw carries a CVSS 9.8; no active exploitation has been confirmed (not in CISA KEV).

WordPress Privilege Escalation Ai Copilot
NVD WPScan VulDB
CVSS 3.1
9.8
CVSS 9.8
CRITICAL POC PATCH Act Now

Privilege escalation and full site takeover affects the AI Copilot WordPress plugin before 1.5.4, which fails to bind OAuth access tokens to a specific WordPress user and treats any valid token as an administrator session. An unauthenticated attacker who completes the plugin's public OAuth flow can invoke privileged MCP (Model Context Protocol) tools as an administrator, creating new users and escalating roles. Publicly available exploit code exists and the flaw carries a CVSS 9.8; no active exploitation has been confirmed (not in CISA KEV).

WordPress Privilege Escalation Ai Copilot
NVD WPScan VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy