Aimogen Pro <= 2.7.5 - Unauthenticated Privilege Escalation via Arbitrary Function Call
翻译中…平台
wordpress
组件
aimogen-pro
修复版本
2.7.6
CVE-2026-4038 is a Log Denial of Service (LogDoS) vulnerability affecting the PocketMine-MP server software. Attackers can exploit this by sending specially crafted Minecraft LoginPackets containing large or complex data structures within the clientData JWT body, leading to excessive log generation and potential server instability. This vulnerability impacts PocketMine-MP versions up to 5.9.0. A patch is available in version 5.41.1.
检测此 CVE 是否影响你的项目
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
影响与攻击场景翻译中…
The Aimogen Pro plugin for WordPress has a critical 'Arbitrary Function Call' vulnerability (CVE-2026-4038) allowing unauthenticated attackers to escalate privileges. This is due to a missing capability check on the 'aiomaticcallaifunctionrealtime' function. An attacker could exploit this flaw to execute arbitrary WordPress functions, such as 'update_option', modifying the default registration role to grant themselves administrator access. The severity of the issue is high (CVSS 9.8), meaning successful exploitation could compromise the entire WordPress website's security.
利用背景翻译中…
An attacker could exploit this vulnerability by sending a specially crafted request to the WordPress website that calls the 'aiomaticcallaifunctionrealtime' function without the required capability. This request could include parameters that modify the 'update_option' function to change the default registration role to 'administrator'. Once the modification is complete, the attacker could register a new user account and gain administrative access to the website.
威胁情报
漏洞利用状态
EPSS
0.07% (22% 百分位)
CISA SSVC
CVSS 向量
这些指标意味着什么?
- Attack Vector
- 网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
- Attack Complexity
- 低 — 无需特殊条件,可以稳定地利用漏洞。
- Privileges Required
- 无 — 无需认证,无需凭证即可利用。
- User Interaction
- 无 — 攻击自动且无声,受害者无需任何操作。
- Scope
- 未改变 — 影响仅限于脆弱组件本身。
- Confidentiality
- 高 — 完全丧失机密性,攻击者可读取所有数据。
- Integrity
- 高 — 攻击者可写入、修改或删除任何数据。
- Availability
- 高 — 完全崩溃或资源耗尽,完全拒绝服务。
受影响的软件
弱点分类 (CWE)
时间线
- 已保留
- 发布日期
- 修改日期
- EPSS 更新日期
缓解措施和替代方案翻译中…
The solution to this vulnerability is to update Aimogen Pro to version 2.7.6 or higher. This version includes a fix that implements the necessary capability check to protect the 'aiomaticcallaifunctionrealtime' function. Immediate updating is recommended to mitigate the risk of exploitation. Additionally, review your website logs for suspicious activity and strengthen overall WordPress security measures, such as using strong passwords and regularly updating all plugins and themes.
修复方法翻译中…
Update to version 2.7.6, or a newer patched version
CVE 安全通讯
漏洞分析和关键警报直接发送到您的邮箱。
常见问题翻译中…
What is CVE-2026-4038 — Privilege Escalation in Aimogen Pro - All-in-One AI Content Writer, Editor, ChatBot & Automation Toolkit?
It's a vulnerability that allows an attacker to execute WordPress functions without proper authorization.
Am I affected by CVE-2026-4038 in Aimogen Pro - All-in-One AI Content Writer, Editor, ChatBot & Automation Toolkit?
It allows an attacker to gain administrative access to a WordPress website, which can result in data loss, website modification, or even complete server control.
How do I fix CVE-2026-4038 in Aimogen Pro - All-in-One AI Content Writer, Editor, ChatBot & Automation Toolkit?
As a temporary measure, consider restricting access to the 'aiomaticcallaifunctionrealtime' function using a security plugin or by modifying the plugin's code (with caution).
Is CVE-2026-4038 being actively exploited?
Review your website logs for suspicious activity, such as unusual logins or unexpected configuration changes.
Where can I find the official Aimogen Pro - All-in-One AI Content Writer, Editor, ChatBot & Automation Toolkit advisory for CVE-2026-4038?
You can find more information about CVE-2026-4038 on vulnerability databases like the National Vulnerability Database (NVD).