CVE-2026-5294
Published: 05 May 2026
Summary
CVE-2026-5294 is a critical-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 mandates enforcement of approved authorizations, directly countering the missing authorization on the nopriv AJAX route that enables unauthenticated plugin installation and RCE.
AC-14 explicitly identifies and restricts actions allowed without authentication, preventing nopriv routes from accessing plugin installer functions.
AC-6 applies least privilege to limit nopriv processes from possessing permissions to download, unzip, and install arbitrary plugins.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The missing authorization flaw in the public-facing WordPress plugin directly enables unauthenticated remote exploitation (T1190) and forces the server to download+unzip attacker-supplied ZIPs into the plugins directory (T1105), resulting in arbitrary code deployment and RCE.
NVD Description
The Geeky Bot plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.2.2. This is due to a nopriv AJAX route allowing attacker-controlled model/function dispatch and reaching a plugin installer helper that downloads and unzips…
more
attacker-supplied ZIP files into wp-content/plugins/. This makes it possible for unauthenticated attackers to perform arbitrary plugin installation and achieve remote code execution.
Deeper analysisAI
CVE-2026-5294 is a missing authorization vulnerability (CWE-862) in the Geeky Bot plugin for WordPress, affecting versions up to and including 1.2.2. The flaw arises from a nopriv AJAX route that permits attacker-controlled model and function dispatch, granting access to a plugin installer helper. This helper downloads and unzips attacker-supplied ZIP files directly into the wp-content/plugins/ directory, enabling unauthorized plugin deployment.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation allows arbitrary plugin installation, culminating in remote code execution on the affected WordPress site, with high confidentiality, integrity, and availability impacts.
Mitigation details are provided in the WordPress plugin trac changeset 3497169 at https://plugins.trac.wordpress.org/changeset/3497169/geeky-bot, which addresses the issue. Further analysis appears in Wordfence's threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/a1817c58-e807-4ef2-a382-28ca2fd5239e?source=cve. Practitioners should update to a patched version of the plugin beyond 1.2.2.
Details
- CWE(s)