The vulnerability is an arbitrary function call flaw in the Aimogen Pro WordPress plugin caused by a missing capability check on the function 'aiomatic_call_ai_function_realtime'. Because the plugin does not verify that the caller holds appropriate permissions, unauthenticated attackers can invoke any WordPress function, such as 'update_option', to modify site configuration. This flaw is classified as CWE-862 (Missing Authorization). As a result, attackers can raise the default user registration role to 'Administrator' and enable user registration, enabling them to create a new admin account and gain full administrative control of the site.

All WordPress sites that have installed the CodeRevolution Aimogen Pro plugin, specifically versions up to and including 2.7.5, are affected. The vulnerability is exploitable from any external network without needing pre‑existing credentials, making the risk broad and immediate. The plugin is available for download via the CodeCanyon marketplace and is actively used in many content‑generation workflows.

The CVSS score of 9.8 denotes a critical severity level, and although EPSS data is not available, the absence of the vulnerability from the CISA KEV catalog does not diminish the risk. Exploitation requires only a crafted HTTP request to the vulnerable endpoint; no additional software or privileged access is needed. If an attacker is able to exploit the flaw, they can achieve full administrative privileges, providing complete confidentiality, integrity and availability compromise of the affected WordPress instance.