{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1103", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-17T00:47:31.833Z", "datePublished": "2026-01-24T07:26:44.703Z", "dateUpdated": "2026-04-08T17:04:25.213Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:25.213Z"}, "affected": [{"vendor": "aiktp", "product": "AIKTP", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.0.04", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The AIKTP plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the /aiktp/getToken REST API endpoint in all versions up to, and including, 5.0.04. The endpoint uses the 'verify_user_logged_in' as a permission callback, which only checks if a user is logged in, but fails to verify if the user has administrative capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to retrieve the administrator's 'aiktpz_token' access token, which can then be used to create posts, upload media library files, and access private content as the administrator."}], "title": "AIKTP <= 5.0.04 - Missing Authorization to Authenticated (Subscriber+) Multiple Administrator Actions", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/84846d95-792d-4569-b0eb-876d82d0beee?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/aiktp/tags/5.0.04/includes/aiktp-sync.php#L123"}, {"url": "https://plugins.trac.wordpress.org/browser/aiktp/tags/5.0.04/includes/aiktp-sync.php#L143"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3445248%40aiktp&new=3445248%40aiktp"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Osvaldo Noe Gonzalez Del Rio"}], "timeline": [{"time": "2026-01-23T19:19:27.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-26T18:19:08.516310Z", "id": "CVE-2026-1103", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T18:19:14.889Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1103", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-26T18:19:08.516310Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T18:19:11.298Z"}}], "cna": {"title": "AIKTP <= 5.0.04 - Missing Authorization to Authenticated (Subscriber+) Multiple Administrator Actions", "credits": [{"lang": "en", "type": "finder", "value": "Osvaldo Noe Gonzalez Del Rio"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "aiktp", "product": "AIKTP", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.0.04"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-23T19:19:27.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/84846d95-792d-4569-b0eb-876d82d0beee?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/aiktp/tags/5.0.04/includes/aiktp-sync.php#L123"}, {"url": "https://plugins.trac.wordpress.org/browser/aiktp/tags/5.0.04/includes/aiktp-sync.php#L143"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3445248%40aiktp&new=3445248%40aiktp"}], "descriptions": [{"lang": "en", "value": "The AIKTP plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the /aiktp/getToken REST API endpoint in all versions up to, and including, 5.0.04. The endpoint uses the 'verify_user_logged_in' as a permission callback, which only checks if a user is logged in, but fails to verify if the user has administrative capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to retrieve the administrator's 'aiktpz_token' access token, which can then be used to create posts, upload media library files, and access private content as the administrator."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:25.213Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1103", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:04:25.213Z", "dateReserved": "2026-01-17T00:47:31.833Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-24T07:26:44.703Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The AIKTP plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the /aiktp/getToken REST API endpoint in all versions up to, and including, 5.0.04. The endpoint uses the 'verify_user_logged_in' as a permission callback, which only checks if a user is logged in, but fails to verify if the user has administrative capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to retrieve the administrator's 'aiktpz_token' access token, which can then be used to create posts, upload media library files, and access private content as the administrator."}, {"lang": "es", "value": "El plugin AIKTP para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a la falta de comprobaciones de autorizaci\u00f3n en el endpoint de la API REST /aiktp/getToken en todas las versiones hasta la 5.0.04, inclusive. El endpoint utiliza 'verify_user_logged_in' como callback de permisos, que solo comprueba si un usuario ha iniciado sesi\u00f3n, pero no verifica si el usuario tiene capacidades administrativas. Esto hace posible que atacantes autenticados con acceso de nivel Suscriptor y superior recuperen el token de acceso 'aiktpz_token' del administrador, que luego puede ser utilizado para crear publicaciones, subir archivos de la librer\u00eda de medios y acceder a contenido privado como el administrador."}], "id": "CVE-2026-1103", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-24T08:16:09.347", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/aiktp/tags/5.0.04/includes/aiktp-sync.php#L123"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/aiktp/tags/5.0.04/includes/aiktp-sync.php#L143"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3445248%40aiktp&new=3445248%40aiktp"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/84846d95-792d-4569-b0eb-876d82d0beee?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T19:04:29.181502+00:00", "value": {"mitigation_remediation": ["Upgrade the AIKTP plugin to the latest version that secures or removes the /aiktp/getToken endpoint.", "If an upgrade is not immediately possible, disable the /aiktp/getToken endpoint by deactivating the plugin or removing the endpoint code.", "Ensure that only users with administrative roles can use REST API endpoints by tightening role capabilities and verifying that Subscriber accounts lack higher privileges."], "summary": {"action": "Immediate patch", "impact": "Privilege escalation to administrator data modification via missing authorization"}, "threat_synthesis": {"affected_systems": "WordPress sites running the AIKTP plugin version 5.0.04 or earlier. The vulnerability affects the AIKTP plugin shipped under the vendor aiktp, identified as AIKTP up to and including version 5.0.04.", "description_and_impact": "The AIKTP plugin for WordPress contains a missing authorization check on the /aiktp/getToken REST API endpoint. The endpoint only verifies that a user is logged in, not that the user has administrative capabilities. As a result, any authenticated user with Subscriber-level access or higher can retrieve the administrator's access token. This token enables the attacker to create posts, upload media files, and access private content with administrator privileges, effectively giving them full control over the site's content management without proper authorization.", "risk_and_exploitability": "The CVSS score of 5.4 indicates a moderate severity vulnerability. The EPSS score of less than 1% suggests a very low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to be authenticated with at least Subscriber privileges. Once authenticated, the attacker can call the vulnerable endpoint to obtain an administrator token and then perform privileged actions. The lack of a strict permission check makes the attack straightforward for anyone with valid credentials, but the limited exploitation probability keeps the immediate risk moderate."}}}}, "created": "2026-01-26T11:48:30.993834+00:00", "updated": "2026-04-15T19:15:12.066976+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}