PatchSiren

AI Copilot CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

Review AI Copilot CVE published 2026-07-17

CVE-2026-9810

The AI Copilot WordPress plugin before 1.5.4 has a critical vulnerability that allows unauthenticated attackers to execute privileged MCP tools as an administrator. This is possible because the plugin does not bind OAuth access tokens to a WordPress user and accepts any valid token as an administrator session. The vulnerability can be exploited to create arbitrary users and escalate roles. Users of the AI [truncated]