🔴 严重 | CVE-2026-9810 — The AI Copilot WordPress plugin before 1.5.4 does...
🔴 《严重安全漏洞:CVE-2026-9810》
CVSS 评分: 严重(9.8) 状态: Received 发布时间: 2026-07-17
漏洞描述
The AI Copilot WordPress plugin before 1.5.4 does not bind OAuth access tokens to a WordPress user, and accepts any valid token as an administrator session, allowing unauthenticated attackers who complete the public OAuth flow to execute privileged MCP tools as an administrator, including arbitrary user creation and role escalation.
🔍 技术细节
| 字段 | 值 |
|---|---|
| CVE ID | CVE-2026-9810 |
| CVSS 评分 | 9.8 🔴 |
| 严重程度 | 严重 |
| CVSS 向量 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE 分类 | CWE-269 |
| 发布时间 | 2026-07-17 |
| 最后更新 | 2026-07-17 |
| 状态 | Received |
| 数据来源 | contact@wpscan.com |
🔗 参考链接
💬 评论