Skip to main content

Ai Copilot Content Generator

2 CVEs product

Monthly

CVE-2026-6804 MEDIUM This Month

Authorization bypass in the AI Copilot - Content Generator WordPress plugin (by wupsales/AIWU) allows unauthenticated remote attackers to manipulate WordPress post publication states across all versions through 1.4.12. By supplying arbitrary scenario IDs to the plugin's workspace controller endpoint - which lacks any authorization verification - attackers can expose unpublished draft content or take live published posts offline, causing content disclosure and service disruption. No public exploit or CISA KEV listing has been identified at time of analysis, though the trivial exploitation complexity (AV:N/AC:L/PR:N/UI:N) makes independent rediscovery straightforward.

Authentication Bypass WordPress Ai Copilot Content Generator
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-6803 MEDIUM This Month

Unauthenticated mass data deletion in the AI Copilot - Content Generator WordPress plugin (all versions through 1.4.12) exposes sites to complete wipeout of plugin-managed database records by any remote visitor. The vulnerability stems from a permanently open authorization gate: the base controller's getPermissions() returns an empty array causing the auth check to unconditionally pass, while the removeGroup and clear AJAX actions are excluded from getNoncedMethods(), bypassing nonce verification entirely. No active exploitation has been confirmed in CISA KEV and no public exploit code has been identified at time of analysis, though the attack requires no credentials and minimal technical skill given the straightforward AJAX endpoint targeting.

Authentication Bypass WordPress Ai Copilot Content Generator
NVD
CVSS 3.1
5.3
EPSS
0.3%
EPSS 0% CVSS 5.3
MEDIUM This Month

Authorization bypass in the AI Copilot - Content Generator WordPress plugin (by wupsales/AIWU) allows unauthenticated remote attackers to manipulate WordPress post publication states across all versions through 1.4.12. By supplying arbitrary scenario IDs to the plugin's workspace controller endpoint - which lacks any authorization verification - attackers can expose unpublished draft content or take live published posts offline, causing content disclosure and service disruption. No public exploit or CISA KEV listing has been identified at time of analysis, though the trivial exploitation complexity (AV:N/AC:L/PR:N/UI:N) makes independent rediscovery straightforward.

Authentication Bypass WordPress Ai Copilot Content Generator
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated mass data deletion in the AI Copilot - Content Generator WordPress plugin (all versions through 1.4.12) exposes sites to complete wipeout of plugin-managed database records by any remote visitor. The vulnerability stems from a permanently open authorization gate: the base controller's getPermissions() returns an empty array causing the auth check to unconditionally pass, while the removeGroup and clear AJAX actions are excluded from getNoncedMethods(), bypassing nonce verification entirely. No active exploitation has been confirmed in CISA KEV and no public exploit code has been identified at time of analysis, though the attack requires no credentials and minimal technical skill given the straightforward AJAX endpoint targeting.

Authentication Bypass WordPress Ai Copilot Content Generator
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy