CVE-2026-4038
Received Received - Intake
Arbitrary Function Call in Aimogen Pro Plugin Enables Privilege Escalation

Publication date: 2026-03-20

Last updated on: 2026-03-20

Assigner: Wordfence

Description
The Aimogen Pro plugin for WordPress is vulnerable to Arbitrary Function Call that can lead to privilege escalation due to a missing capability check on the 'aiomatic_call_ai_function_realtime' function in all versions up to, and including, 2.7.5. This makes it possible for unauthenticated attackers to call arbitrary WordPress functions such as 'update_option' to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-20
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4038
EUVD
EUVD-2026-13522
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
aimogen pro to 2.7.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Aimogen Pro plugin for WordPress has a vulnerability called Arbitrary Function Call due to a missing capability check in the 'aiomatic_call_ai_function_realtime' function in all versions up to 2.7.5.

This flaw allows unauthenticated attackers to invoke arbitrary WordPress functions, such as 'update_option', which can be exploited to change the default user role for new registrations to administrator.

As a result, attackers can enable user registration and gain administrative access to the vulnerable WordPress site.

Impact Analysis

This vulnerability can have severe impacts including privilege escalation where attackers gain administrative control over your WordPress site without authentication.

With administrative access, attackers can modify site settings, install malicious plugins or themes, steal sensitive data, deface the website, or use the site as a platform for further attacks.

The CVSS score of 9.8 indicates a critical severity with high impact on confidentiality, integrity, and availability.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4038. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart