CRITICALCVE-2026-5294Published Modified CNA Wordfence
CVE-2026-5294: GeekyBot <= 1.2.2 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation via 'geekybot_frontendajax' AJAX Action
The Geeky Bot plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.2.2. This is due to a nopriv AJAX route allowing attacker-controlled model/function dispatch and reaching a plugin installer helper that downloads and unzips attacker-supplied ZIP files into wp-content/plugins/. This makes it possible for unauthenticated attackers to perform arbitrary plugin installation and achieve remote code execution.
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
Affected packages
- ahmadgb / GeekyBot — AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content≤ 1.2.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HReferences