CVE-2026-15982
CodeRevolution · Aimogen Pro
The Aimogen Pro WordPress plugin is vulnerable to unauthenticated privilege escalation, allowing attackers to execute arbitrary PHP functions and create administrator accounts via missing capability checks.
Executive summary
A critical privilege escalation vulnerability in the CodeRevolution Aimogen Pro plugin allows unauthenticated attackers to gain full administrative control over affected WordPress sites.
Vulnerability
The vulnerability stems from a missing capability check in the aiomatic_call_google_ai_function function. This allows unauthenticated attackers to invoke the aimogen_wp_god_mode tool, bypassing security restrictions to execute arbitrary code or create unauthorized administrative accounts.
Business impact
Successful exploitation grants an attacker full administrative access to the WordPress environment. This results in complete data compromise, potential distribution of malware, and the ability to modify or delete site content. With a CVSS score of 9.8, this vulnerability represents an immediate and critical threat to organizational integrity and data security.
Remediation
Immediate Action: Update the Aimogen Pro plugin to the latest available version immediately. If an update is not currently available, deactivate and remove the plugin from the environment until a patch is applied.
Proactive Monitoring: Monitor WordPress administrative user creation logs for suspicious activity. Review audit logs for unauthorized access to internal plugin functions or unusual execution of PHP system functions.
Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block requests targeting the aiomatic_call_google_ai_function endpoint. Ensure that administrative interfaces are restricted to trusted IP addresses.
Exploitation status
Public Exploit Available: No (exploit_available: false)
Analyst recommendation
The severity of this vulnerability cannot be overstated, as it provides a direct path to full site compromise. Administrators must prioritize patching this plugin immediately to prevent unauthorized administrative access. If immediate patching is not possible, the plugin should be disabled to eliminate the attack vector.