PatchSiren

wupsales CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM wupsales CVE published 2026-07-11

CVE-2026-6804

The AI Chatbot & Workflow Automation by AIWU plugin for WordPress has an authorization bypass vulnerability due to improper verification of user authorization. This CVE was published on 2026-07-11T05:16:34.553Z and has not been modified since then. The vulnerability allows unauthenticated attackers to publish draft WordPress posts, exposing unpublished content, or unpublish live content, causing service d [truncated]

MEDIUM wupsales CVE published 2026-07-11

CVE-2026-6803

The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.12. This is due to missing capability checks and nonce verification on AJAX actions registered under both wp_ajax_ and wp_ajax_nopriv_ hooks, as the base controller's getPermissions() returns an empty array and neither removeGroup nor clear are added to getNonc [truncated]

MEDIUM wupsales CVE published 2026-05-20

CVE-2026-2955

A stored cross-site scripting (XSS) vulnerability exists in the AI Chatbot & Workflow Automation by AIWU WordPress plugin (versions up to and including 1.4.14). The flaw stems from insufficient input sanitization and output escaping of the X-Forwarded-For HTTP header, allowing unauthenticated attackers to inject arbitrary web scripts. When a user accesses a page containing the injected payload, the script [truncated]