{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39506", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:47:50.136Z", "datePublished": "2026-04-08T08:30:13.840Z", "dateUpdated": "2026-04-13T18:43:22.406Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "ai-engine-pro", "product": "AI Engine (Pro)", "vendor": "Jordy Meow", "versions": [{"changes": [{"at": "3.4.2", "status": "unaffected"}], "lessThanOrEqual": "3.4.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:29:01.691Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Jordy Meow AI Engine (Pro) ai-engine-pro allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects AI Engine (Pro): from n/a through < 3.4.2.</p>"}], "value": "Missing Authorization vulnerability in Jordy Meow AI Engine (Pro) ai-engine-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Engine (Pro): from n/a through < 3.4.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:13.840Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/ai-engine-pro/vulnerability/wordpress-ai-engine-pro-plugin-3-4-2-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress AI Engine (Pro) plugin < 3.4.2 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T18:43:09.649082Z", "id": "CVE-2026-39506", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T18:43:22.406Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39506", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T18:43:09.649082Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T18:43:19.459Z"}}], "cna": {"title": "WordPress AI Engine (Pro) plugin < 3.4.2 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "Jordy Meow", "product": "AI Engine (Pro)", "versions": [{"status": "affected", "changes": [{"at": "3.4.2", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "3.4.2"}], "packageName": "ai-engine-pro", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:29:01.691Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/ai-engine-pro/vulnerability/wordpress-ai-engine-pro-plugin-3-4-2-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Jordy Meow AI Engine (Pro) ai-engine-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Engine (Pro): from n/a through < 3.4.2.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Jordy Meow AI Engine (Pro) ai-engine-pro allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects AI Engine (Pro): from n/a through < 3.4.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:13.840Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39506", "state": "PUBLISHED", "dateUpdated": "2026-04-13T18:43:22.406Z", "dateReserved": "2026-04-07T10:47:50.136Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:13.840Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Jordy Meow AI Engine (Pro) ai-engine-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Engine (Pro): from n/a through < 3.4.2."}], "id": "CVE-2026-39506", "lastModified": "2026-04-13T19:16:43.970", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:24.790", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/ai-engine-pro/vulnerability/wordpress-ai-engine-pro-plugin-3-4-2-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.4.2)"}}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 89.0, "source": "matching"}]}, "original": {"product": "AI Engine (Pro)", "source": "cna", "vendor": "Jordy Meow"}, "product": "ai-engine", "vendor": "jordy_meow"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-13T21:01:54.367121+00:00", "value": {"mitigation_remediation": ["Upgrade AI Engine (Pro) to version 3.4.2 or later", "Verify that the WordPress site is running the latest patch from the vendor's updates feed", "If an upgrade is not immediately available, restrict access to the plugin\u2019s administrative pages through role\u2011based permissions or a firewall rule", "Consider disabling the plugin entirely until a patched version is released"], "summary": {"action": "Patch Now", "impact": "Unauthorized Access to plugin functionality and data"}, "threat_synthesis": {"affected_systems": "The affected product is Jordy\u202fMeow\u2019s AI\u202fEngine\u202f(Pro) plugin. Any released version prior to 3.4.2 is vulnerable, as the vulnerability exists from the initial release through all earlier versions. Users running versions older than 3.4.2 on WordPress sites are at risk.", "description_and_impact": "The AI Engine (Pro) WordPress plugin contains a missing authorization flaw that allows an attacker to use plugin endpoints without proper permission. The vulnerability can lead to unauthorized access to, modification of, or disclosure of plugin\u2011maintained data, exposing the site\u2019s administrative features or content. This is a classic Missing Privilege enforcement weakness (CWE\u2011862).", "risk_and_exploitability": "The CVSS base score of 4.3 indicates moderate severity, and the EPSS of less than 1\u202f% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exposures typically arise from web requests to the plugin\u2019s admin interface; an attacker may not need elevated privileges if the site\u2019s configuration allows broad access to the plugin\u2019s endpoints. The exact attack vector is inferred from the description of a missing authorization check."}}}}, "created": "2026-04-08T19:43:01.691140+00:00", "updated": "2026-04-14T16:39:58.024216+00:00", "vendors": ["jordy_meow", "jordy_meow$PRODUCT$ai-engine", "wordpress", "wordpress$PRODUCT$wordpress"]}