Missing Authorization in Geeky Bot Plugin for WordPress
CVE-2026-5294

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Geekybot — Ai Copilot, Chatbot, WooCommerce Lead Gen & Zero-prompt Content
Vendor: CVE Published:; 5 May 2026

What is CVE-2026-5294?

The Geeky Bot plugin for WordPress exhibits a critical vulnerability due to missing authorization mechanisms. The affected versions, up to and including 1.2.2, allow unauthenticated attackers to access a nopriv AJAX route. This vulnerability can be exploited to dispatch arbitrary models and functions, leading to the installation of malicious plugins. An attacker can supply ZIP files that are downloaded and extracted within the wp-content/plugins/ directory, opening the door to remote code execution and further compromises of the hosting environment.

Affected Version(s)

GeekyBot — AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content 0 <= 1.2.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3497169/geek...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
Mar 31, 2026

Credit

Di Nhau

CVE-2026-5294 Data

JSON