CVE-2026-5294 CRITICAL

CVE-2026-5294: GeekyBot <= 1.2.2 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation via 'geekybot_frontendajax' AJAX Action

Vendor Ahmadgb
Product GeekyBot — AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content
Weakness CWE-862 · Missing authorization
Published May 5, 2026
Last update May 6, 2026

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Geeky Bot plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.2.2. This is due to a nopriv AJAX route allowing attacker-controlled model/function dispatch and reaching a plugin installer helper that downloads and unzips attacker-supplied ZIP files into wp-content/plugins/. This makes it possible for unauthenticated attackers to perform arbitrary plugin installation and achieve remote code execution.

Explanation of Vulnerability in Simple Terms

02Summary

GeekyBot versions up to 1.2.2 lack proper authorization checks, allowing unauthenticated attackers to perform sensitive actions over the network without user interaction. The vulnerability affects confidentiality, integrity, and availability of the affected system. Update to a version newer than 1.2.2 to remediate.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete data and disrupt service without logging in.

Potential impact on your site

04Site Impact

Attackers can access, modify, or delete any data in GeekyBot without credentials.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

May 5, 2026 CVE published
May 6, 2026 Record updated

Related vulnerabilities

08Related CVE