GHSA-8wr2-c6vh-58c4 · Severity: high — The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to SQL Injection...
The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.4.17 due to insufficient escaping on user supplied parameters and lack of sufficient preparation on the existing SQL query in the getListForTbl() function. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. NOTE: This issue is partially mitigated by a patch in version 1.4.11 that adds a nonce check for a nonce that is only available to administrators.
Conclusion & alert: CVE-2026-2993 is rated Moderate Risk (44.7/100): CVSS High severity, with low exploitation likelihood (EPSS 0.20%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-05-18 | 0.10% | 0.20% | +0.10% |
| 2 | 2026-05-12 | — | 0.10% | — |
Full EPSS history (2 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
GHSA-8wr2-c6vh-58c4 · Severity: high — The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to SQL Injection...
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| No affected products in dataset. | |||