プラットフォーム
wordpress
コンポーネント
aimogen-pro
修正版
2.7.6
CVE-2026-4038 is a Log Denial of Service (LogDoS) vulnerability affecting the PocketMine-MP server software. Attackers can exploit this by sending specially crafted Minecraft LoginPackets containing large or complex data structures within the clientData JWT body, leading to excessive log generation and potential server instability. This vulnerability impacts PocketMine-MP versions up to 5.9.0. A patch is available in version 5.41.1.
The Aimogen Pro plugin for WordPress has a critical 'Arbitrary Function Call' vulnerability (CVE-2026-4038) allowing unauthenticated attackers to escalate privileges. This is due to a missing capability check on the 'aiomaticcallaifunctionrealtime' function. An attacker could exploit this flaw to execute arbitrary WordPress functions, such as 'update_option', modifying the default registration role to grant themselves administrator access. The severity of the issue is high (CVSS 9.8), meaning successful exploitation could compromise the entire WordPress website's security.
An attacker could exploit this vulnerability by sending a specially crafted request to the WordPress website that calls the 'aiomaticcallaifunctionrealtime' function without the required capability. This request could include parameters that modify the 'update_option' function to change the default registration role to 'administrator'. Once the modification is complete, the attacker could register a new user account and gain administrative access to the website.
エクスプロイト状況
EPSS
0.07% (22% パーセンタイル)
CISA SSVC
CVSS ベクトル
The solution to this vulnerability is to update Aimogen Pro to version 2.7.6 or higher. This version includes a fix that implements the necessary capability check to protect the 'aiomaticcallaifunctionrealtime' function. Immediate updating is recommended to mitigate the risk of exploitation. Additionally, review your website logs for suspicious activity and strengthen overall WordPress security measures, such as using strong passwords and regularly updating all plugins and themes.
バージョン 2.7.6、またはそれ以降の修正されたバージョンにアップデートしてください
脆弱性分析と重要アラートをメールでお届けします。
It's a vulnerability that allows an attacker to execute WordPress functions without proper authorization.
It allows an attacker to gain administrative access to a WordPress website, which can result in data loss, website modification, or even complete server control.
As a temporary measure, consider restricting access to the 'aiomaticcallaifunctionrealtime' function using a security plugin or by modifying the plugin's code (with caution).
Review your website logs for suspicious activity, such as unusual logins or unexpected configuration changes.
You can find more information about CVE-2026-4038 on vulnerability databases like the National Vulnerability Database (NVD).
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。