vulnerability
WordPress Plugin: aiktp: CVE-2026-1103: Missing Authorization
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:L/Au:S/C:P/I:P/A:N) | Jan 23, 2026 | Jan 26, 2026 | Jan 26, 2026 |
Severity
5
CVSS
(AV:N/AC:L/Au:S/C:P/I:P/A:N)
Published
Jan 23, 2026
Added
Jan 26, 2026
Modified
Jan 26, 2026
Description
The AIKTP plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the /aiktp/getToken REST API endpoint in all versions up to, and including, 5.0.04. The endpoint uses the 'verify_user_logged_in' as a permission callback, which only checks if a user is logged in, but fails to verify if the user has administrative capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to retrieve the administrator's 'aiktpz_token' access token, which can then be used to create posts, upload media library files, and access private content as the administrator.
Solution
aiktp-plugin-cve-2026-1103
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.