Review
AI Copilot
CVE published 2026-07-17
CVE-2026-9810
The AI Copilot WordPress plugin before 1.5.4 has a critical vulnerability that allows unauthenticated attackers to execute privileged MCP tools as an administrator. This is possible because the plugin does not bind OAuth access tokens to a WordPress user and accepts any valid token as an administrator session. The vulnerability can be exploited to create arbitrary users and escalate roles. Users of the AI [truncated]