CVE Catalog

CVE-2026-5294

Critical
Published: Translated: NVD NIST

Summary

The Geeky Bot plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.2.2. This is due to a nopriv AJAX route allowing attacker-controlled model/function dispatch and reaching a plugin installer helper that downloads and unzips attacker-supplied ZIP files.

Risk Assessment

Unauthenticated attackers can perform arbitrary plugin installation, leading to remote code execution and serious security risks.

Recommendation

It is recommended to update the Geeky Bot plugin to the latest version to mitigate this vulnerability and to monitor the system for unauthorized plugin installations.

Original NVD description (English source)

The Geeky Bot plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.2.2. This is due to a nopriv AJAX route allowing attacker-controlled model/function dispatch and reaching a plugin installer helper that downloads and unzips attacker-supplied ZIP files into wp-content/plugins/. This makes it possible for unauthenticated attackers to perform arbitrary plugin installation and achieve remote code execution.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS