CVE-2026-9810
Received Received - Intake

OAuth Token Misuse in AI Copilot WordPress Plugin

Vulnerability report for CVE-2026-9810, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: WPScan

Description

The AI Copilot WordPress plugin before 1.5.4 does not bind OAuth access tokens to a WordPress user, and accepts any valid token as an administrator session, allowing unauthenticated attackers who complete the public OAuth flow to execute privileged MCP tools as an administrator, including arbitrary user creation and role escalation.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
aiwu ai_chatbot_and_workflow_automation to 1.5.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The AI Copilot WordPress plugin before version 1.5.4 has a flaw where OAuth access tokens are not tied to specific WordPress users. This allows any valid token to be used as an administrator session without proper authentication. Unauthenticated attackers can exploit this by completing the public OAuth flow and then running privileged MCP tools with admin rights.

Detection Guidance

Check the installed version of the AI Chatbot & Workflow Automation plugin. If it is below 1.5.4, the system is vulnerable. Use WordPress admin panel or run: wp plugin list | grep aiwu_ai_chatbot.

Review OAuth token handling in plugin settings. Look for unbound tokens or sessions with admin privileges without proper user association.

Impact Analysis

Attackers could create arbitrary user accounts, escalate their privileges to admin level, and gain full control over the WordPress site. This could lead to data theft, site defacement, or further attacks on visitors.

Compliance Impact

This vulnerability could lead to unauthorized access and data breaches, violating GDPR's data protection requirements and HIPAA's security rules for protected health information. Organizations may face fines or legal consequences for failing to protect user data.

Mitigation Strategies

Update the AI Chatbot & Workflow Automation plugin to version 1.5.4 or later immediately. Disable OAuth flows temporarily if an update is not possible right away.

Audit all admin sessions and user accounts for unauthorized access or privilege escalation. Revoke any suspicious OAuth tokens.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9810. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart