Missing Authorization Vulnerability in AI Chatbot & Workflow Automation Plugin for WordPress
CVE-2026-6803

5.3MEDIUM

Key Information:

Vendor

WordPress

Vendor
CVE Published:
11 July 2026

What is CVE-2026-6803?

The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is susceptible to a Missing Authorization vulnerability that affects all versions up to and including 1.4.12. This issue arises from inadequate capability checks and nonce validation on AJAX actions triggered by both wp_ajax_ and wp_ajax_nopriv_ hooks. Specifically, the base controller's getPermissions() function returns an empty array, and critical methods like removeGroup and clear are not included in getNoncedMethods(). As a result, the authorization checks for these actions erroneously allow unauthenticated attackers to delete individual records by ID or even remove all entries from any database table associated with the modules.

Affected Version(s)

AI Copilot – Content Generator 0 <= 1.4.12

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Kazuma Matsumoto
.