Platform
wordpress
Component
aimogen-pro
Fixed in
2.7.6
CVE-2026-4038 is a Log Denial of Service (LogDoS) vulnerability affecting the PocketMine-MP server software. Attackers can exploit this by sending specially crafted Minecraft LoginPackets containing large or complex data structures within the clientData JWT body, leading to excessive log generation and potential server instability. This vulnerability impacts PocketMine-MP versions up to 5.9.0. A patch is available in version 5.41.1.
The Aimogen Pro plugin for WordPress has a critical 'Arbitrary Function Call' vulnerability (CVE-2026-4038) allowing unauthenticated attackers to escalate privileges. This is due to a missing capability check on the 'aiomaticcallaifunctionrealtime' function. An attacker could exploit this flaw to execute arbitrary WordPress functions, such as 'update_option', modifying the default registration role to grant themselves administrator access. The severity of the issue is high (CVSS 9.8), meaning successful exploitation could compromise the entire WordPress website's security.
An attacker could exploit this vulnerability by sending a specially crafted request to the WordPress website that calls the 'aiomaticcallaifunctionrealtime' function without the required capability. This request could include parameters that modify the 'update_option' function to change the default registration role to 'administrator'. Once the modification is complete, the attacker could register a new user account and gain administrative access to the website.
Exploit Status
EPSS
0.07% (22% percentile)
CISA SSVC
CVSS Vector
The solution to this vulnerability is to update Aimogen Pro to version 2.7.6 or higher. This version includes a fix that implements the necessary capability check to protect the 'aiomaticcallaifunctionrealtime' function. Immediate updating is recommended to mitigate the risk of exploitation. Additionally, review your website logs for suspicious activity and strengthen overall WordPress security measures, such as using strong passwords and regularly updating all plugins and themes.
Update to version 2.7.6, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
It's a vulnerability that allows an attacker to execute WordPress functions without proper authorization.
It allows an attacker to gain administrative access to a WordPress website, which can result in data loss, website modification, or even complete server control.
As a temporary measure, consider restricting access to the 'aiomaticcallaifunctionrealtime' function using a security plugin or by modifying the plugin's code (with caution).
Review your website logs for suspicious activity, such as unusual logins or unexpected configuration changes.
You can find more information about CVE-2026-4038 on vulnerability databases like the National Vulnerability Database (NVD).
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.