Vulnerability  ·  2026-07-19

WordPress AI Copilot Plugin OAuth Token Binding Failure Enables Unauthenticated Admin Takeover of MCP Tools

VulnerabilityHigh impactGlobalCVE-2026-9810
WPScan/NVD disclosed a critical (CVSS 9.8) authentication design flaw in the AI Copilot WordPress plugin: OAuth tokens were never bound to a specific user identity, so any completed OAuth handshake yielded an admin-equivalent session capable of driving the plugin's MCP tool surface.
This is a concrete example of MCP tool authorization being trivially bypassable in a widely installed WordPress AI plugin — an unauthenticated attacker can escalate to full site administrator by abusing the agentic tool layer rather than a traditional web vulnerability, demonstrating the real-world blast radius of poorly scoped MCP tool permissions.
The plugin's OAuth flow does not bind issued access tokens to a specific WordPress user account. Any unauthenticated attacker who completes the public OAuth flow (which requires no privileged access) receives a valid token that the plugin then treats as an administrator session, allowing invocation of privileged MCP tools including arbitrary user creation and role escalation.
AI Copilot WordPress plugin before 1.5.4
Update to AI Copilot plugin version 1.5.4 or later, which binds OAuth tokens to the originating WordPress user.
NVD CVE-2026-9810WPScan Vulnerability Database
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →