Description
Missing Authorization vulnerability in Jordy Meow AI Engine (Pro) ai-engine-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Engine (Pro): from n/a through < 3.4.2.
Published: 2026-04-08
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access to plugin functionality and data
Action: Patch Now
AI Analysis

Impact

The AI Engine (Pro) WordPress plugin contains a missing authorization flaw that allows an attacker to use plugin endpoints without proper permission. The vulnerability can lead to unauthorized access to, modification of, or disclosure of plugin‑maintained data, exposing the site’s administrative features or content. This is a classic Missing Privilege enforcement weakness (CWE‑862).

Affected Systems

The affected product is Jordy Meow’s AI Engine (Pro) plugin. Any released version prior to 3.4.2 is vulnerable, as the vulnerability exists from the initial release through all earlier versions. Users running versions older than 3.4.2 on WordPress sites are at risk.

Risk and Exploitability

The CVSS base score of 4.3 indicates moderate severity, and the EPSS of less than 1 % suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exposures typically arise from web requests to the plugin’s admin interface; an attacker may not need elevated privileges if the site’s configuration allows broad access to the plugin’s endpoints. The exact attack vector is inferred from the description of a missing authorization check.

Generated by OpenCVE AI on April 13, 2026 at 21:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AI Engine (Pro) to version 3.4.2 or later
  • Verify that the WordPress site is running the latest patch from the vendor's updates feed
  • If an upgrade is not immediately available, restrict access to the plugin’s administrative pages through role‑based permissions or a firewall rule
  • Consider disabling the plugin entirely until a patched version is released

Generated by OpenCVE AI on April 13, 2026 at 21:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Jordy Meow
Jordy Meow ai-engine
Wordpress
Wordpress wordpress
Vendors & Products Jordy Meow
Jordy Meow ai-engine
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Jordy Meow AI Engine (Pro) ai-engine-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Engine (Pro): from n/a through < 3.4.2.
Title WordPress AI Engine (Pro) plugin < 3.4.2 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Jordy Meow Ai-engine
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:01.954Z

Reserved: 2026-04-07T10:47:50.136Z

Link: CVE-2026-39506

cve-icon Vulnrichment

Updated: 2026-04-13T18:43:19.459Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:24.790

Modified: 2026-04-29T10:17:26.110

Link: CVE-2026-39506

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:39:58Z

Weaknesses