CVE-2026-4038

Aimogen Pro <= 2.7.5 - Unauthenticated Privilege Escalation via Arbitrary Function Call

Assigner: Wordfence
Reserved: 12.03.2026 Published: 20.03.2026 Updated: 20.03.2026

The Aimogen Pro plugin for WordPress is vulnerable to Arbitrary Function Call that can lead to privilege escalation due to a missing capability check on the 'aiomatic_call_ai_function_realtime' function in all versions up to, and including, 2.7.5. This makes it possible for unauthenticated attackers to call arbitrary WordPress functions such as 'update_option' to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 9.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	CodeRevolution
Product	Aimogen Pro - All-in-One AI Content Writer, Editor, ChatBot & Automation Toolkit
Versions	Default: unaffected affected from * to 2.7.5 (incl.)

Vendor

CodeRevolution

Product

Aimogen Pro - All-in-One AI Content Writer, Editor, ChatBot & Automation Toolkit

Versions

Default: unaffected

affected from * to 2.7.5 (incl.)

Credits

Hung Nguyen finder

References

Problem Types