SQL Injection Vulnerability in AI Chatbot & Workflow Automation Plugin for WordPress
CVE-2026-2993

7.5HIGH

Key Information:

Vendor: WordPress
Status: Ai Chatbot & Workflow Automation By Aiwu
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-2993?

The AI Chatbot & Workflow Automation plugin for WordPress, specifically in versions up to and including 1.4.17, is susceptible to SQL Injection vulnerabilities due to inadequate escaping of user-supplied parameters. In the getListForTbl() function, the lack of robust preparation for the existing SQL queries can lead to the exploitation of these vulnerabilities. This allows unauthorized attackers to inject additional SQL commands, potentially compromising sensitive data stored in the database. While a partial mitigation was implemented in version 1.4.11, introducing a nonce check limited to administrators, users are strongly advised to upgrade to the latest version to fully protect against this risk.

Affected Version(s)

AI Chatbot & Workflow Automation by AIWU 0 <= 1.4.17

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/ai-copilot-con...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Feb 22, 2026

Credit

Kazuma Matsumoto

CVE-2026-2993 Data

JSON