CVE-2026-4038

Critical

Published: 20 March 2026

Published

20 March 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0010 28.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The Aimogen Pro plugin for WordPress is vulnerable to Arbitrary Function Call that can lead to privilege escalation due to a missing capability check on the 'aiomatic_call_ai_function_realtime' function in all versions up to, and including, 2.7.5. This makes it possible…

for unauthenticated attackers to call arbitrary WordPress functions such as 'update_option' to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to system resources, directly mitigating the missing capability check on aiomatic_call_ai_function_realtime that enables unauthenticated arbitrary function calls.

SI-10 Information Input Validation good match

prevent

Validates information inputs to the vulnerable function, preventing attackers from specifying and executing arbitrary WordPress functions like update_option.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of flaws, enabling patching of the Aimogen Pro plugin vulnerability up to version 2.7.5.

Security SummaryAI

CVE-2026-4038 is an arbitrary function call vulnerability in the Aimogen Pro plugin for WordPress, affecting all versions up to and including 2.7.5. The issue stems from a missing capability check on the 'aiomatic_call_ai_function_realtime' function, enabling privilege escalation. It is rated critical with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-862 (Missing Authorization).

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction. By calling arbitrary WordPress functions via the vulnerable endpoint, such as 'update_option', they can modify site settings like enabling user registration and setting the default new user role to administrator. This allows attackers to register and gain full administrative access to the vulnerable WordPress site.

Mitigation details are available in related advisories, including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/b3e45a17-cb41-41ba-ab6c-c83202f0ecfd?source=cve and the plugin page on Codecanyon at https://codecanyon.net/item/aimogen-pro-allinone-ai-content-writer-editor-chatbot-automation-toolkit/38877369.

Details

CWE(s): CWE-862

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Unauthenticated remote exploitation of a public-facing WordPress plugin vulnerability via arbitrary function calls directly enables T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://codecanyon.net/item/aimogen-pro-allinone-ai-content-writer-editor-chatbot-automation-toolkit/38877369
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/b3e45a17-cb41-41ba-ab6c-c83202f0ecfd?source=cve
security@wordfence.com