Critical severity9.8NVD Advisory· Published Jun 1, 2026· Updated Jun 1, 2026

CVE-2026-48879

Description

An incorrect privilege assignment in AIWU versions through 1.4.17 allows unauthenticated privilege escalation to take over WordPress sites.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An incorrect privilege assignment in AIWU versions through 1.4.17 allows unauthenticated privilege escalation to take over WordPress sites.

Vulnerability

CVE-2026-48879 is an incorrect privilege assignment vulnerability in the Sergey AIWU WordPress plugin (versions through 1.4.17). The flaw allows a low-privileged user to escalate their access to an account with higher privileges, potentially gaining full administrative control. No authentication is required to trigger the exploit [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability remotely by sending crafted requests to the vulnerable plugin. The attack complexity is low and requires no user interaction, making it suitable for mass automated exploitation campaigns [1].

Impact

Successful exploitation enables the attacker to escalate their privileges to an administrator level, which can lead to complete compromise of the website. This includes the ability to modify content, install malicious plugins, and exfiltrate data. The vulnerability has a CVSS v3 score of 9.8, indicating critical severity [1].

Mitigation

The vulnerability is remediated in version 1.4.19 of the AIWU plugin. Users are advised to update to this version immediately. Patchstack also provides a virtual mitigation rule for users who cannot update right away [1].

References

Privilege Escalation in WordPress AIWU Plugin

AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/AI Copilot Content Generatorinferred2 versions
<=1.4.17+ 1 more
- (no CPE)range: <=1.4.17
- (no CPE)range: <=1.4.17
Package: https://wordpress.org/plugins/ai-copilot-content-generator

Patches

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

patchstack.com/database/wordpress/plugin/ai-copilot-content-generator/vulnerability/wordpress-aiwu-plugin-1-4-17-privilege-escalation-vulnerabilitynvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000