Cyber Posture

CVE-2026-5294

Critical

Published: 05 May 2026

Published
05 May 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0019 40.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The Geeky Bot plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.2.2. This is due to a nopriv AJAX route allowing attacker-controlled model/function dispatch and reaching a plugin installer helper that downloads and unzips…

more

attacker-supplied ZIP files into wp-content/plugins/. This makes it possible for unauthenticated attackers to perform arbitrary plugin installation and achieve remote code execution.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

AC-3 mandates enforcement of approved authorizations, directly countering the missing authorization on the nopriv AJAX route that enables unauthenticated plugin installation and RCE.

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

AC-14 explicitly identifies and restricts actions allowed without authentication, preventing nopriv routes from accessing plugin installer functions.

AC-6 Least Privilege good match
prevent

AC-6 applies least privilege to limit nopriv processes from possessing permissions to download, unzip, and install arbitrary plugins.

Security SummaryAI

CVE-2026-5294 is a missing authorization vulnerability (CWE-862) in the Geeky Bot plugin for WordPress, affecting versions up to and including 1.2.2. The flaw arises from a nopriv AJAX route that permits attacker-controlled model and function dispatch, granting access to a plugin installer helper. This helper downloads and unzips attacker-supplied ZIP files directly into the wp-content/plugins/ directory, enabling unauthorized plugin deployment.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation allows arbitrary plugin installation, culminating in remote code execution on the affected WordPress site, with high confidentiality, integrity, and availability impacts.

Mitigation details are provided in the WordPress plugin trac changeset 3497169 at https://plugins.trac.wordpress.org/changeset/3497169/geeky-bot, which addresses the issue. Further analysis appears in Wordfence's threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/a1817c58-e807-4ef2-a382-28ca2fd5239e?source=cve. Practitioners should update to a patched version of the plugin beyond 1.2.2.

Details

CWE(s)
CWE-862

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
attack.mitre.org →
Why these techniques?

The missing authorization flaw in the public-facing WordPress plugin directly enables unauthenticated remote exploitation (T1190) and forces the server to download+unzip attacker-supplied ZIPs into the plugins directory (T1105), resulting in arbitrary code deployment and RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References