{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39506", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:47:50.136Z", "datePublished": "2026-04-08T08:30:13.840Z", "dateUpdated": "2026-04-08T08:30:13.840Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "ai-engine-pro", "product": "AI Engine (Pro)", "vendor": "Jordy Meow", "versions": [{"changes": [{"at": "3.4.2", "status": "unaffected"}], "lessThanOrEqual": "3.4.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:29:01.691Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Jordy Meow AI Engine (Pro) ai-engine-pro allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects AI Engine (Pro): from n/a through < 3.4.2.</p>"}], "value": "Missing Authorization vulnerability in Jordy Meow AI Engine (Pro) ai-engine-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Engine (Pro): from n/a through < 3.4.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:13.840Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/ai-engine-pro/vulnerability/wordpress-ai-engine-pro-plugin-3-4-2-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress AI Engine (Pro) plugin < 3.4.2 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Jordy Meow AI Engine (Pro) ai-engine-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Engine (Pro): from n/a through < 3.4.2."}], "id": "CVE-2026-39506", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:24.790", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/ai-engine-pro/vulnerability/wordpress-ai-engine-pro-plugin-3-4-2-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.4.2)"}}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 89.0, "source": "matching"}]}, "original": {"product": "AI Engine (Pro)", "source": "cna", "vendor": "Jordy Meow"}, "product": "ai-engine", "vendor": "jordy_meow"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T09:22:08.783570+00:00", "value": {"mitigation_remediation": ["Update the AI Engine (Pro) plugin to version 3.4.2 or later."], "summary": {"action": "Immediate Patch", "impact": "Access Control Bypass"}, "threat_synthesis": {"affected_systems": "All installations of Jordy Meow AI Engine (Pro) plugin with a version lower than 3.4.2 are impacted. The vulnerability applies to every release from its initial launch up to, but not including, version 3.4.2. Administrators using any such version on their WordPress sites should verify the current plugin version and upgrade if possible.", "description_and_impact": "The vulnerability is a missing authorization flaw that enables an attacker to exploit incorrectly configured access control levels. This flaw can allow a user with insufficient privileges, or possibly an unauthenticated attacker, to bypass security restrictions and perform privileged actions within the plugin. The primary impact is the potential compromise of data integrity and confidentiality within the WordPress site that relies on the affected plugin.", "risk_and_exploitability": "There is no CVSS score available in the provided data, so the exact severity cannot be quantified here. No EPSS or KEV information indicates the exploitation probability is unknown. Based strictly on the description, the likely attack vector involves HTTP requests to plugin endpoints that lack proper authorization checks, allowing an attacker to access restricted features. If an attacker can identify and reach these endpoints, the risk of successful exploitation is significant, especially for sites that rely heavily on the plugin\u2019s functionality."}}}}, "created": "2026-04-08T19:43:01.691140+00:00", "updated": "2026-04-09T08:22:13.795466+00:00", "vendors": ["jordy_meow", "jordy_meow$PRODUCT$ai-engine", "wordpress", "wordpress$PRODUCT$wordpress"]}