CVE-2026-27407

Vulnerability

In AI Engine plugin for WordPress versions 3.4.9 and earlier, an editor privilege escalation vulnerability exists. [1] This allows users with the Editor role to escalate their privileges to a higher level, such as Administrator. The flaw is present in the plugin's core functionality and does not require any additional configuration.

Exploitation

An attacker who already has a low-privileged account (e.g., Editor) can exploit this vulnerability to gain higher privileges. [1] The specific exploitation steps are not publicly detailed, but mass-exploit campaigns have been observed targeting this flaw. No user interaction is required beyond having the initial account.

Impact

Successful exploitation enables the attacker to elevate their account to a higher privilege level, potentially gaining full administrative control of the WordPress site. [1] This can lead to complete site compromise, including the ability to modify content, install plugins, and access sensitive data.

Mitigation

The vulnerability is fixed in version 3.5.0. [1] Users are strongly advised to update immediately. For those unable to update, Patchstack provides a mitigation rule to block attacks until the update is applied. [1] The vulnerability is listed as likely to be exploited in the wild.