CVE-2026-39699

Vulnerability

Overview

The AI Workflow Automation plugin for WordPress (versions ≤1.4.2) contains a missing authorization vulnerability, classified as a broken access control issue. The plugin fails to properly verify user permissions or nonce tokens in certain functions, meaning that higher-privileged actions can be triggered by users without the required access level [1].

Exploitation

Path

An attacker does not need to authenticate as an administrator; any user with network access to the WordPress site, or even completely unauthenticated users, could exploit the missing authorization check. Because the vulnerability is in a lite version of the plugin that is widely deployed, it is a common target for mass-exploit campaigns that scan for vulnerable websites [1].

Impact

Successful exploitation allows an attacker to perform actions that should be restricted to privileged roles (e.g., admin-level operations). This could lead to unauthorized modification of workflows, data exposure, or further compromise of the affected WordPress site. The CVSS score of 5.3 (Medium) reflects the potential for partial impact on confidentiality, integrity, and availability [1].

Mitigation

The vendor has not confirmed a fixed version at the time of writing; however, immediate action is recommended. Users should update the plugin to the latest available version as soon as a patched release is provided. If updating is not possible, it is advised to disable the plugin or contact the hosting provider for assistance in applying a virtual patch or workaround [1].