CVE-2026-39506
Missing Authorization in Jordy Meow AI Engine Pro Allows Unauthorized Access
Publication date: 2026-04-08
Last updated on: 2026-04-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jordy_meow | ai_engine_pro | to 3.4.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-39506 vulnerability is a Broken Access Control issue that allows unauthorized privilege escalation in the AI Engine (Pro) WordPress plugin. Such unauthorized access could potentially lead to unauthorized data access or modification.
While the vulnerability itself is classified as low severity with a CVSS score of 4.3 and limited impact, broken access control issues can pose risks to compliance with standards like GDPR or HIPAA, which require strict access controls to protect sensitive data.
Therefore, if exploited, this vulnerability could undermine compliance efforts by allowing users with lower privileges to perform actions reserved for higher privileged roles, potentially exposing or altering protected information.
Mitigation by updating to version 3.4.2 or later is strongly advised to maintain compliance and reduce risk.
Can you explain this vulnerability to me?
CVE-2026-39506 is a Broken Access Control vulnerability found in the WordPress AI Engine (Pro) plugin versions prior to 3.4.2.
The issue arises because of missing authorization, authentication, or nonce token checks in certain plugin functions.
This allows users with lower privileges, such as Contributors or Developers, to perform actions that should be restricted to higher privileged roles.
It is classified under the OWASP Top 10 category A1: Broken Access Control.
How can this vulnerability impact me? :
This vulnerability can allow unauthorized privilege escalation within the affected WordPress plugin.
Unprivileged users with Contributor or Developer roles could perform actions reserved for higher privileged users, potentially compromising site security.
Although the CVSS severity score is 4.3, indicating a low priority threat with limited impact, such vulnerabilities can be exploited in mass campaigns targeting many websites.
Users are advised to update to version 3.4.2 or later to mitigate this risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is related to missing authorization checks in the WordPress AI Engine (Pro) plugin versions prior to 3.4.2, allowing privilege escalation by users with Contributor or Developer roles.
Detection typically involves verifying the plugin version installed on your WordPress site and checking for unauthorized privilege escalations or suspicious activity from lower-privileged users.
You can detect the vulnerability by running commands to check the plugin version, for example:
- Using WP-CLI to check the plugin version: wp plugin list --status=active
- Look for 'ai-engine-pro' plugin and verify if the version is below 3.4.2.
Additionally, monitoring WordPress user roles and permissions for unexpected changes or actions performed by users with Contributor or Developer roles may help identify exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to update the AI Engine (Pro) WordPress plugin to version 3.4.2 or later, where this vulnerability has been patched.
If you are using Patchstack, enabling auto-updates for vulnerable plugins can ensure rapid protection against this and similar vulnerabilities.
Additionally, review user roles and permissions to ensure that only trusted users have Contributor or Developer privileges, minimizing the risk of exploitation.