CVE-2026-9810
Unknown · AI Copilot (WordPress Plugin)
The AI Copilot WordPress plugin fails to bind OAuth tokens to specific users, allowing unauthenticated attackers to impersonate administrators and execute privileged tools.
Executive summary
An authentication and privilege management flaw in the AI Copilot WordPress plugin allows unauthenticated attackers to gain administrative access and execute arbitrary commands.
Vulnerability
This vulnerability involves improper privilege management (CWE-269) where the plugin accepts any valid OAuth token as an administrative session. An unauthenticated attacker can complete the public OAuth flow to escalate privileges to the administrator level.
Business impact
Successful exploitation allows an attacker to create new administrative users, escalate privileges, and execute arbitrary MCP tools. This could result in complete site takeover, data theft, and the installation of malicious payloads, presenting an extreme risk to the WordPress environment.
Remediation
Immediate Action: Update the AI Copilot plugin to version 1.5.4 or higher immediately.
Proactive Monitoring: Audit WordPress user accounts for unauthorized additions or changes to roles and review logs for suspicious administrative actions.
Compensating Controls: Disable the AI Copilot plugin entirely until the update can be applied to prevent potential exploitation.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Plugin vulnerabilities of this nature are frequent targets for automated exploitation. Administrators must update the AI Copilot plugin to version 1.5.4 immediately to remediate the risk of account takeovers and privilege escalation.