cvedb.io
CVE-2026-9810
UNKNOWN · CVSS n/a
EPSS exploitation probability: 0%
Published 2026-07-17T07:16:38.230 · Last modified 2026-07-17T07:16:38.230

Summary

The AI Copilot WordPress plugin before 1.5.4 does not bind OAuth access tokens to a WordPress user, and accepts any valid token as an administrator session, allowing unauthenticated attackers who complete the public OAuth flow to execute privileged MCP tools as an administrator, including arbitrary user creation and role escalation.

Does this affect you?

Add your gear to cvedb and we'll alert you only when a vendor you run ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.