PatchSiren cyber security CVE debrief
CVE-2026-6803 wupsales CVE debrief
The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.12. This is due to missing capability checks and nonce verification on AJAX actions registered under both wp_ajax_ and wp_ajax_nopriv_ hooks, as the base controller's getPermissions() returns an empty array and neither removeGroup nor clear are added to getNoncedMethods(), causing the authorization gate to unconditionally return true for these actions.
- Vendor
- wupsales
- Product
- AI Copilot – Content Generator
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-11
- Original CVE updated
- 2026-07-11
- Advisory published
- 2026-07-11
- Advisory updated
- 2026-07-11
Who should care
WordPress users with the AI Chatbot & Workflow Automation by AIWU plugin installed should be aware of this vulnerability, as it allows unauthenticated attackers to delete specific records by ID or delete all records from any module's database table.
Technical summary
The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.12. The vulnerability is caused by missing capability checks and nonce verification on AJAX actions registered under both wp_ajax_ and wp_ajax_nopriv_ hooks. The base controller's getPermissions() returns an empty array and neither removeGroup nor clear are added to getNoncedMethods(), causing the authorization gate to unconditionally return true for these actions. This makes it possible for unauthenticated attackers to delete specific records by ID or delete all records from any module's database table.
Defensive priority
Medium priority should be given to patching this vulnerability, as it allows for unauthorized deletion of records.
Recommended defensive actions
- Apply the latest patch (version 1.4.13 or later) for the AI Chatbot & Workflow Automation by AIWU plugin.
- Review and restrict access to sensitive data and functionality.
- Monitor for suspicious activity related to AJAX actions.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The CVE record was published on 2026-07-11T05:16:34.430Z and has not been modified since then. The NVD entry is currently Received. The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.12. This is due to missing capability checks and nonce verification on AJAX actions registered under both wp_ajax_ and wp_ajax_nopriv_ hooks, as the base controller's getPermissions() returns an empty array and neither removeGroup nor clear are added to getNoncedMethods(), causing the authorization gate to unconditionally return true for these actions. Evidence is limited to CVE and NVD details.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T05:16:34.430Z and has not been modified since then.