Critical

Arbitrary Function Call Privilege Escalation in Aimogen Pro for WordPress

IdentifiersCVE-2026-4038CWE-862· Missing Authorization

CVE-2026-4038 is an arbitrary function call vulnerability in the Aimogen Pro plugin for WordPress affecting all versions up to and including 2.7.5. The issue is caused by a missing capability check in the plugin function 'aiomatic_call_ai_function_realtime'. Because the function does not properly verify whether the caller is authorized, an unauthenticated attacker can invoke arbitrary WordPress functions through the vulnerable code path. Reported exploitation includes calling the core WordPress function 'update_option' to modify site configuration, specifically enabling user registration and changing the default registration role to administrator. This can then be used to create a new administrator account and obtain full administrative access to the vulnerable WordPress site.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows unauthenticated privilege escalation to administrative access on the affected WordPress site. By invoking arbitrary WordPress functions, an attacker can alter critical site options and security-relevant configuration. The documented attack path enables user registration and sets the default role for new users to administrator, allowing the attacker to register an admin account. With administrative access, the attacker can fully compromise the site, including access to sensitive data, modification of content and configuration, installation of malicious plugins or backdoors, and potential disruption of site availability.

Mitigation

If you can’t patch tonight, do this now.

If an updated version is not yet available, disable or remove the Aimogen Pro plugin to eliminate the vulnerable attack surface. As a temporary defensive measure, restrict public access to the affected functionality where possible using WAF rules, reverse-proxy filtering, or application-level access controls, and monitor for requests targeting 'aiomatic_call_ai_function_realtime'. Review and lock down WordPress registration settings, ensure administrator account creation is monitored, and inspect the site for unexpected option changes, newly created privileged users, malicious plugins, or modified theme/plugin files.

Remediation

Patch, then assume compromise.

Update the Aimogen Pro plugin to a version newer than 2.7.5 once a vendor fix is available. The underlying issue should be remediated by adding a proper capability check to 'aiomatic_call_ai_function_realtime' and restricting callable functions to a strict allowlist of intended operations. Any exposed unauthenticated access to this functionality should be removed. After patching, administrators should review WordPress settings for unauthorized changes, especially 'users_can_register' and the default role for new users, and audit for rogue administrator accounts or other persistence mechanisms created during exploitation.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

cvefeed high severityNews

Mar 20, 2026

CVE-2026-4038 - Aimogen Pro <= 2.7.5 - Unauthenticated Privilege Escalation via Arbitrary Function Call

A privilege escalation vulnerability in the Aimogen Pro plugin for WordPress caused by a missing capability check in the 'aiomatic_call_ai_function_realtime' function, allowing unauthenticated attackers to call arbitrary WordPress functions and gain administrative access.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-4038

NVD

nvd.nist.gov/vuln/detail/CVE-2026-4038

MITRE CWE · CWE-862

Missing Authorization

codecanyon.net

codecanyon.net/item/aimogen-pro-allinone-ai-content-writer-editor-chatbot-automation-toolkit/38877369

wordfence.com

wordfence.com/threat-intel/vulnerabilities/id/b3e45a17-cb41-41ba-ab6c-c83202f0ecfd?source=cve