Home / Vulnerability Intelligence / CVE-2026-4038

CVE-2026-4038 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 20, 2026

Aimogen Pro WordPress Plugin - Privilege Escalation

Published: March 20, 2026Updated: March 20, 2026Remote Exploitable

Overview

Aimogen Pro WordPress plugin <= 2.7.5 contains an arbitrary function call vulnerability caused by missing capability check in 'aiomatic_call_ai_function_realtime', letting unauthenticated attackers escalate privileges by calling arbitrary WordPress functions.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 5.5%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can escalate privileges to administrator, gaining full control over the WordPress site.

Mitigation

Update to the latest version beyond 2.7.5.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 20, 2026

🔴 CVE-2026-4038 - Critical (9.8) The Aimogen Pro plugin for WordPress is vulnerable to Arbitrary Function Call that can lead to privilege escalation due to a missing capability check on the 'aiomatic_call_ai_function_realtime' function in all versions up to, and including, 2.7.5.... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-4038/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-4038
Severity: Critical
CVSS Score: 9.8
Type: broken_access_control
Status: unconfirmed
EPSS: 5.5%
Social Posts: 1

CWE

CWE-862

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

5.5%Probability of exploitation in the next 30 days