AIWU WordPress CVE-2026-2993: Disable or Remove This Plugin

Impact statement: CVE-2026-2993 affects the AI Chatbot & Workflow Automation by AIWU WordPress plugin, also listed in the WordPress plugin directory as AI Copilot – Content Generator. Wordfence and NVD report that versions up to and including 1.4.17 are vulnerable to SQL injection. Because the latest public plugin listing still shows 1.4.17, site owners should disable or remove the plugin until a confirmed fixed release is available.

The risk is sensitive database exposure. A vulnerable AI/chatbot automation plugin may have access to posts, users, WooCommerce data, workflow settings, API integrations, and other site data. If you run this on a customer site, treat it as a real incident-prevention task, not routine plugin noise.

Who Should Care

• WordPress sites using AIWU / AI Copilot – Content Generator.
• WooCommerce stores using AI chatbot or workflow automation features.
• Agencies that installed AI automation plugins across multiple client sites.
• Hosting providers that scan managed WordPress accounts for vulnerable plugins.
• Site owners that recently tested AI chatbot, SEO automation, or MCP-style WordPress control plugins.

Affected Versions

NVD says AI Chatbot & Workflow Automation by AIWU versions up to and including 1.4.17 are affected. The WordPress.org plugin page currently lists version 1.4.17 and shows a previous 1.4.11 changelog entry marked as a security fix, but NVD still lists the issue through 1.4.17. Until the vendor ships a clearly fixed version, remove or disable the plugin.

Exploitation Status

Fix I.T. Phill is not publishing unsafe request details, input names, or reproduction steps. NVD lists this as CVSS 7.5 High with no privileges or user interaction required. That is enough for WordPress administrators to act quickly.

Immediate WordPress Admin Steps

• Back up the site files and database before making changes.
• Disable AIWU / AI Copilot – Content Generator.
• If the site does not absolutely need the plugin, remove it until a fixed version is confirmed.
• Rotate API keys connected to AI providers or workflow integrations if suspicious activity is found.
• Review administrator users, new posts/pages, WooCommerce orders, and unexpected plugin/theme changes.

# From the WordPress document root, check whether the plugin is present.
wp plugin list | grep -Ei 'aiwu|ai-copilot|content-generator' || true

# Disable the plugin while you investigate.
wp plugin deactivate ai-copilot-content-generator

# If you choose removal, preserve a backup first, then remove the plugin.
wp plugin delete ai-copilot-content-generator

If the plugin slug differs on your site, use the slug shown by wp plugin list or disable it from the WordPress dashboard under Plugins.

cPanel And Hosting Checklist

• Use WP Toolkit, Installatron, Softaculous, or WP-CLI to search for the plugin across hosted accounts.
• Prioritize WooCommerce, membership, LMS, and customer-data-heavy sites first.
• Review recent database exports, new admin users, modified plugin files, and unfamiliar scheduled tasks.
• Scan the account for unexpected executable files and recently modified PHP files.
• Tell customers whether the plugin was found, whether it was disabled, and what they need to replace or reconnect.

# cPanel/WHM style account search from root.
find /home -path '*/wp-content/plugins/ai-copilot-content-generator' -type d -print 2>/dev/null

# Look for recent plugin changes in affected accounts.
find /home -path '*/wp-content/plugins/ai-copilot-content-generator/*' -type f -mtime -14 -print 2>/dev/null

What To Review After Disabling

• WordPress administrator and editor accounts.
• WooCommerce customer/order exports and unusual account changes.
• AI provider keys, webhook tokens, workflow connectors, and automation secrets configured in the plugin.
• Recent posts, pages, snippets, theme files, and plugin files.
• Web server logs for unusual requests to WordPress admin and plugin paths.

Customer Communication Notes

Use plain wording: a high-severity SQL injection was disclosed in an AI WordPress plugin; the latest listed version is still in the affected range; the safest action is to disable/remove it, review the site, and reconnect any AI/workflow features only after a fixed release is available.

CDN And WAF Virtual Patch Note

A WAF can help reduce risk for exposed WordPress traffic, but it is not a substitute for disabling or removing a vulnerable plugin. The CDN/WAF side should review WordPress application profiles for AIWU/AI Copilot traffic, raise anomaly scoring for suspicious database-oriented request behavior, and avoid publishing any scanner-ready details.

Sources

• NVD: CVE-2026-2993
• Wordfence vulnerability record for CVE-2026-2993
• WordPress.org plugin page: AI Copilot – Content Generator

Need help scanning a WordPress hosting account or replacing an AI chatbot/workflow plugin safely? Open a ticket through Help4Network.com.