Description
The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.4.17 due to insufficient escaping on user supplied parameters and lack of sufficient preparation on the existing SQL query in the getListForTbl() function. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. NOTE: This issue is partially mitigated by a patch in version 1.4.11 that adds a nonce check for a nonce that is only available to administrators.
Published: 2026-05-12
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The AI Chatbot & Workflow Automation by AIWU plugin contains an unauthenticated SQL Injection flaw in the getListForTbl() function caused by insufficient escaping and lack of query preparation. This weakness, classified as CWE-89, allows an attacker to inject and execute arbitrary SQL against the WordPress database, potentially exposing sensitive information such as user credentials, site content, or configuration data. The effect is a loss of confidentiality through data theft, with no documented path to arbitrary code execution or system compromise.

Affected Systems

WordPress sites running the AI Chatbot & Workflow Automation by AIWU plugin version 1.4.17 or earlier are affected. The vendor identified is wupsales. Only the specific plugin product and its version range are listed; other WordPress components are not impacted.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.5, placing it in the high severity range. EPSS information is not available, so the likelihood of exploitation cannot be quantitatively assessed. The issue is not listed in the CISA KEV catalog. Based on the description, the attack is likely performed by sending crafted HTTP requests to plugin endpoints that invoke getListForTbl(), and because the vulnerability is unauthenticated, any visitor to the site can exploit it. A partial mitigation was added in version 1.4.11 by introducing a nonce check that is only available to administrators.

Generated by OpenCVE AI on May 12, 2026 at 11:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to the latest release that contains the SQL injection fix (any version newer than 1.4.17).
  • If upgrading is not possible, deactivate or uninstall the plugin until a patched version is released.
  • As a temporary workaround, enforce the admin‑only nonce check from the 1.4.11 patch or implement a similar authentication requirement for the getListForTbl endpoint, such as adding an admin‑only token or configuring a web application firewall to block malicious SQL payloads.

Generated by OpenCVE AI on May 12, 2026 at 11:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://plugins.trac.wordpress.org/browser/ai-copilot-content-generator/tags/1.4.6/classes/controller.php#L104 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/ai-copilot-content-generator/tags/1.4.6/classes/controller.php#L114 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/ai-copilot-content-generator/tags/1.4.6/classes/controller.php#L132 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/ai-copilot-content-generator/tags/1.4.6/classes/controller.php#L154 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/ai-copilot-content-generator/tags/1.4.6/classes/controller.php#L157 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/ai-copilot-content-generator/tags/1.4.6/classes/frame.php#L282 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/ai-copilot-content-generator/tags/1.4.6/classes/model.php#L162 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/ai-copilot-content-generator/tags/1.4.6/classes/req.php#L194 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/ai-copilot-content-generator/tags/1.4.6/classes/table.php#L265 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/ai-copilot-content-generator/trunk/classes/controller.php#L104 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/ai-copilot-content-generator/trunk/classes/controller.php#L114 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/ai-copilot-content-generator/trunk/classes/controller.php#L132 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/ai-copilot-content-generator/trunk/classes/controller.php#L154 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/ai-copilot-content-generator/trunk/classes/controller.php#L157 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/ai-copilot-content-generator/trunk/classes/frame.php#L282 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/ai-copilot-content-generator/trunk/classes/model.php#L162 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/ai-copilot-content-generator/trunk/classes/req.php#L194 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/ai-copilot-content-generator/trunk/classes/table.php#L265 cve-icon cve-icon
https://www.wordfence.com/threat-intel/vulnerabilities/id/74c71541-6706-43d2-af3d-0655e59f997c?source=cve cve-icon cve-icon
History

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 08:30:00 +0000

Type Values Removed Values Added
Description The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.4.17 due to insufficient escaping on user supplied parameters and lack of sufficient preparation on the existing SQL query in the getListForTbl() function. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. NOTE: This issue is partially mitigated by a patch in version 1.4.11 that adds a nonce check for a nonce that is only available to administrators.
Title AI Chatbot & Workflow Automation by AIWU <= 1.4.17 - Unauthenticated SQL Injection in getListForTbl()
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-12T12:56:41.038Z

Reserved: 2026-02-22T21:47:27.293Z

Link: CVE-2026-2993

cve-icon Vulnrichment

Updated: 2026-05-12T12:56:37.157Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T09:16:40.030

Modified: 2026-05-12T14:03:52.757

Link: CVE-2026-2993

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T11:30:14Z

Weaknesses