Cyber Resilience

CVE-2026-4038

Critical

Published: 20 March 2026

Published
20 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0030 21.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-4038 is a critical-severity Missing Authorization (CWE-862) vulnerability in Codecanyon (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-4038 is an arbitrary function call vulnerability in the Aimogen Pro plugin for WordPress, affecting all versions up to and including 2.7.5. The issue stems from a missing capability check on the 'aiomatic_call_ai_function_realtime' function, enabling privilege escalation. It is rated critical with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-862 (Missing Authorization).

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction. By calling arbitrary WordPress functions via the vulnerable endpoint, such as 'update_option', they can modify site settings like enabling user registration and setting the default new user role to administrator. This allows attackers to register and gain full administrative access to the vulnerable WordPress site.

Mitigation details are available in related advisories, including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/b3e45a17-cb41-41ba-ab6c-c83202f0ecfd?source=cve and the plugin page on Codecanyon at https://codecanyon.net/item/aimogen-pro-allinone-ai-content-writer-editor-chatbot-automation-toolkit/38877369.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Aimogen Pro plugin for WordPress is vulnerable to Arbitrary Function Call that can lead to privilege escalation due to a missing capability check on the 'aiomatic_call_ai_function_realtime' function in all versions up to, and including, 2.7.5. This makes it possible…

more

for unauthenticated attackers to call arbitrary WordPress functions such as 'update_option' to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated remote exploitation of a public-facing WordPress plugin vulnerability via arbitrary function calls directly enables T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-69311Shared CWE-862
CVE-2026-3266Shared CWE-862
CVE-2026-45438Shared CWE-862
CVE-2025-23477Shared CWE-862
CVE-2025-68834Shared CWE-862
CVE-2026-22663Shared CWE-862
CVE-2024-12544Shared CWE-862
CVE-2024-50967Shared CWE-862
CVE-2025-68059Shared CWE-862
CVE-2025-14070Shared CWE-862

Affected Assets

Codecanyon
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources, directly mitigating the missing capability check on aiomatic_call_ai_function_realtime that enables unauthenticated arbitrary function calls.

prevent

Validates information inputs to the vulnerable function, preventing attackers from specifying and executing arbitrary WordPress functions like update_option.

prevent

Requires timely identification, reporting, and correction of flaws, enabling patching of the Aimogen Pro plugin vulnerability up to version 2.7.5.

References