CVE-2026-4038

Name of the Vulnerable Software and Affected Versions Aimogen Pro versions up to 2.7.5

Description The Aimogen Pro plugin for WordPress is susceptible to an Arbitrary Function Call, potentially leading to privilege escalation. This is due to a missing capability check within the aiomatic call ai function realtime function. Unauthenticated attackers can exploit this to invoke arbitrary WordPress functions, such as update option, to modify site settings. Specifically, attackers can update the default user role for registration to administrator, enabling them to gain administrative access to a vulnerable site. The update option function allows modification of WordPress options, potentially impacting site security and functionality.

Recommendations Aimogen Pro versions prior to 2.7.5 should be updated. As a temporary workaround, consider disabling the aiomatic call ai function realtime function until a patch is available.