216.73.216.75

CVE-2026-9810

· Published 17/07/2026 09:16 · Author: The MITRE Corporation

Labels: CVE-2026-9810

Essential information

Published
17/07/2026 09:16
Modified
Author
The MITRE Corporation
Creator
The MITRE Corporation
CVSS
9.8 CRITICAL (v3.1)
CISA KEV
No
CWE
CWE-269
EPSS (First)
P3.5% ?EPSS percentile: rank of this vulnerability versus all others. Higher percentile = more likely to be exploited. Learn more (score 0.00137)
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

The AI Copilot WordPress plugin before 1.5.4 does not bind OAuth access tokens to a WordPress user, and accepts any valid token as an administrator session, allowing unauthenticated attackers who complete the public OAuth flow to execute privileged MCP tools as an administrator, including arbitrary user creation and role escalation.

NVD status

NVD
View on NVD