Home / Vulnerability Intelligence / CVE-2026-5294

CVE-2026-5294 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: May 5, 2026

Geeky Bot WordPress plugin - Broken Access Control

Published: May 5, 2026Updated: May 5, 2026Remote Exploitable

Overview

Geeky Bot WordPress plugin <= 1.2.2 contains a missing authorization vulnerability due to a nopriv AJAX route allowing attacker-controlled function dispatch, letting unauthenticated attackers install arbitrary plugins and execute code remotely.

Severity & Score

Severity: Critical

CVSS Score: 9.8

Impact

Unauthenticated attackers can install arbitrary plugins and execute code remotely, leading to full site compromise.

Mitigation

Update to the latest version beyond 1.2.2.

References

https://plugins.trac.wordpress.org/changeset/3497169/geeky-bot
https://www.wordfence.com/threat-intel/vulnerabilities/id/a1817c58-e807-4ef2-a382-28ca2fd5239e?source=cve

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-5294
Severity: Critical
CVSS Score: 9.8
Type: broken_access_control
Status: new

CWE

CWE-862

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H