Plateforme
wordpress
Composant
aimogen-pro
Corrigé dans
2.7.6
CVE-2026-4038 is a Log Denial of Service (LogDoS) vulnerability affecting the PocketMine-MP server software. Attackers can exploit this by sending specially crafted Minecraft LoginPackets containing large or complex data structures within the clientData JWT body, leading to excessive log generation and potential server instability. This vulnerability impacts PocketMine-MP versions up to 5.9.0. A patch is available in version 5.41.1.
The Aimogen Pro plugin for WordPress has a critical 'Arbitrary Function Call' vulnerability (CVE-2026-4038) allowing unauthenticated attackers to escalate privileges. This is due to a missing capability check on the 'aiomaticcallaifunctionrealtime' function. An attacker could exploit this flaw to execute arbitrary WordPress functions, such as 'update_option', modifying the default registration role to grant themselves administrator access. The severity of the issue is high (CVSS 9.8), meaning successful exploitation could compromise the entire WordPress website's security.
An attacker could exploit this vulnerability by sending a specially crafted request to the WordPress website that calls the 'aiomaticcallaifunctionrealtime' function without the required capability. This request could include parameters that modify the 'update_option' function to change the default registration role to 'administrator'. Once the modification is complete, the attacker could register a new user account and gain administrative access to the website.
Statut de l'Exploit
EPSS
0.07% (percentile 22%)
CISA SSVC
Vecteur CVSS
The solution to this vulnerability is to update Aimogen Pro to version 2.7.6 or higher. This version includes a fix that implements the necessary capability check to protect the 'aiomaticcallaifunctionrealtime' function. Immediate updating is recommended to mitigate the risk of exploitation. Additionally, review your website logs for suspicious activity and strengthen overall WordPress security measures, such as using strong passwords and regularly updating all plugins and themes.
Update to version 2.7.6, or a newer patched version
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
It's a vulnerability that allows an attacker to execute WordPress functions without proper authorization.
It allows an attacker to gain administrative access to a WordPress website, which can result in data loss, website modification, or even complete server control.
As a temporary measure, consider restricting access to the 'aiomaticcallaifunctionrealtime' function using a security plugin or by modifying the plugin's code (with caution).
Review your website logs for suspicious activity, such as unusual logins or unexpected configuration changes.
You can find more information about CVE-2026-4038 on vulnerability databases like the National Vulnerability Database (NVD).
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.