Executive Summary
CVE-2026-15982 is a critical privilege escalation vulnerability (CVSS 9.8) affecting the Aimogen Pro — All-in-One AI Content Writer, Editor, ChatBot & Automation Toolkit plugin for WordPress. All versions up to and including 2.8.4 are vulnerable.
The root cause is a missing capability check on the aiomatic_call_google_ai_function function, allowing any authenticated WordPress user — including those with only Subscriber-level access — to invoke privileged operations and escalate to Administrator.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-15982 |
| CVSS Score | 9.8 (Critical) |
| Type | Privilege Escalation |
| Authentication Required | Yes (any account, including Subscriber) |
| Affected Versions | Aimogen Pro <= 2.8.4 |
| Disclosure Date | 2026-07-17 |
| Source | NVD / WPScan |
Vulnerability Details
Root Cause
The vulnerability exists in the aiomatic_call_google_ai_function AJAX handler registered by the Aimogen Pro plugin. WordPress AJAX handlers must explicitly verify that the calling user has the appropriate capabilities (e.g., manage_options) before executing privileged actions. Aimogen Pro's handler omits this check entirely.
Because the AJAX endpoint is registered with the wp_ajax_ prefix (requiring only that the user be logged in), any authenticated user can trigger the handler. The handler's privileged execution path allows an attacker to elevate their user role to Administrator.
Attack Flow
1. Attacker registers or obtains any WordPress account (Subscriber role)
2. Sends crafted AJAX POST to wp-admin/admin-ajax.php
action=aiomatic_call_google_ai_function
3. Handler executes without capability check
4. Attacker gains Administrator-level access
5. Full site takeover achieved — install themes, plugins, edit files
Why CVSS 9.8?
The near-maximum CVSS score reflects several amplifying factors:
- Low attack complexity — exploitation is trivially straightforward
- Low privileges required — any authenticated user (Subscriber) can exploit it
- No user interaction — the attack is fully automated
- High impact on Confidentiality, Integrity, and Availability — Administrator access means full control of the WordPress installation
Affected Scope
The Aimogen Pro plugin is marketed as an all-in-one AI content toolkit, used for automated content generation, chatbots, and marketing automation on WordPress sites. Sites using this plugin for AI-assisted content workflows are at risk.
| Product | Affected Versions | Status |
|---|---|---|
| Aimogen Pro (WordPress Plugin) | All versions <= 2.8.4 | Vulnerable |
| Aimogen Pro | 2.8.5+ | Patched (if released) |
Note: As of the NVD disclosure date (2026-07-17), verify the vendor's changelog for the exact patched version. Update immediately to any version above 2.8.4 or disable the plugin until patched.
Remediation
Immediate Actions
- Update the plugin — Update Aimogen Pro to version 2.8.5 or later via the WordPress admin panel (Plugins → Updates)
- If no patch is available — Deactivate and remove the Aimogen Pro plugin immediately
- Audit user accounts — Review the WordPress user list for unexpected accounts with Administrator role
- Review admin activity logs — Check for recent unexpected admin actions (plugin installs, theme changes, user role changes)
Post-Incident
If you suspect exploitation has already occurred:
- Remove any unknown Administrator accounts
- Reset passwords for all Administrator accounts
- Scan for malicious file changes using a plugin like Wordfence or WP Cerber
- Review recently modified files in
wp-content/for injected PHP - Consider restoring from a known-good backup taken before the suspected compromise window
WordPress Plugin Security Context
Missing capability checks are one of the most common vulnerability classes in WordPress plugins, consistently appearing in WPScan advisories. Plugin developers often register AJAX handlers without following WordPress's authorization best practices:
// VULNERABLE — no capability check
add_action('wp_ajax_aiomatic_call_google_ai_function', 'aiomatic_call_google_ai_function');
function aiomatic_call_google_ai_function() {
// Privileged operations here — no current_user_can() check
}
// SECURE — with capability check
add_action('wp_ajax_aiomatic_call_google_ai_function', 'aiomatic_call_google_ai_function');
function aiomatic_call_google_ai_function() {
if (!current_user_can('manage_options')) {
wp_die('Unauthorized', 403);
}
// Privileged operations here
}Detection
Signs of Exploitation
- Unexpected Administrator-level user accounts in WordPress
- Unknown plugins installed or activated
- Modified PHP files in
wp-content/themes/orwp-content/plugins/ - Admin activity logs showing role changes from Subscriber-level accounts
- Unusual outbound HTTP requests from the web server process
Server-Side Log Patterns
Look for POST requests to wp-admin/admin-ajax.php with action=aiomatic_call_google_ai_function from user sessions that should not be making admin calls.
Key Takeaways
- CVSS 9.8 — Critical severity; any authenticated user can escalate to Admin
- Exploit is trivial — A single AJAX POST with a subscriber-level session is all it takes
- Update immediately — Patch to a version above 2.8.4 or remove the plugin
- Audit your user roles — Check for unexpected Admins if you've been running a vulnerable version