Security Alert: Aimogen Pro Users Must Update Immediately

What Happened

During our routine security monitoring this week, we identified that Aimogen Pro — a WordPress plugin used by thousands of websites — contains a security vulnerability in certain versions.

The Aimogen Pro plugin for WordPress is vulnerable to Arbitrary Function Call that can lead to privilege escalation due to a missing capability check on the ‘aiomatic_call_ai_function_realtime’ function in all versions up to, and including, 2.7.5. This makes it possible for unauthenticated attackers to call arbitrary WordPress functions such as ‘update_option’ to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

CVE: CVE-2026-4038

Vulnerability Type: Privilege Escalation

Who Is Affected

What You Should Do

1. Update the plugin to the latest version from your WordPress dashboard (Plugins → Installed Plugins → Update).
2. Change your admin password if the vulnerability involves authentication or privilege escalation.
3. Scan your website for any signs of compromise or modified files.
4. Review your security headers — many sites we scan are also missing basic headers like HSTS and Content-Security-Policy.
5. Check your site’s trust score to see your overall security posture.

How TrustedWeb Detected This

TrustedWeb continuously monitors vulnerability databases and cross-references them with data from our website security scans. This week alone, we analyzed 75 websites and identified outdated plugins, missing security headers, SSL issues, and more.

If you’re unsure whether your website is affected, run a free scan:

About Responsible Disclosure

This vulnerability was reported through coordinated disclosure. The plugin developer was notified and has released a fix. We publish this information only after a patch is available, to help website owners protect themselves without exposing exploit details.

Source: nvd