CVE-2026-9810

Unknown · AI Copilot (WordPress Plugin)

The AI Copilot WordPress plugin fails to bind OAuth tokens to specific users, allowing unauthenticated attackers to impersonate administrators and execute privileged tools.

Executive summary

An authentication and privilege management flaw in the AI Copilot WordPress plugin allows unauthenticated attackers to gain administrative access and execute arbitrary commands.

Vulnerability

This vulnerability involves improper privilege management (CWE-269) where the plugin accepts any valid OAuth token as an administrative session. An unauthenticated attacker can complete the public OAuth flow to escalate privileges to the administrator level.

Business impact

Successful exploitation allows an attacker to create new administrative users, escalate privileges, and execute arbitrary MCP tools. This could result in complete site takeover, data theft, and the installation of malicious payloads, presenting an extreme risk to the WordPress environment.

Remediation

Immediate Action: Update the AI Copilot plugin to version 1.5.4 or higher immediately.

Proactive Monitoring: Audit WordPress user accounts for unauthorized additions or changes to roles and review logs for suspicious administrative actions.

Compensating Controls: Disable the AI Copilot plugin entirely until the update can be applied to prevent potential exploitation.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Plugin vulnerabilities of this nature are frequent targets for automated exploitation. Administrators must update the AI Copilot plugin to version 1.5.4 immediately to remediate the risk of account takeovers and privilege escalation.