Primary

Context

Geeky Bot WordPress Plugin Missing Authorization Vulnerability Allowing Unauthenticated Arbitrary Plugin Installation and Remote Code Execution

Vulnerability

A vulnerability exists in the Geeky Bot plugin for WordPress, specifically in versions through 1.2.2, due to a missing authorization in a nopriv AJAX route. This flaw allows unauthenticated attackers to dispatch model/function calls that reach a plugin installer helper. The helper downloads and unzips ZIP files supplied by the attacker into the wp-content/plugins/ directory. As a result, this vulnerability enables unauthorized users to install arbitrary plugins, potentially leading to remote code execution.

Impact

Exploitation of this vulnerability allows for unauthorized plugin installation, which could be used to execute malicious code remotely, depending on the functionality of the installed plugin.

Remediation

Users are advised to update the Geeky Bot WordPress plugin to version 1.2.3 or a later patched version.

Added: May 5, 2026, 4:27 AM

Updated: May 5, 2026, 4:27 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.1

remediation

0.0

relevance

7.5

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.1

remediation

0.0

relevance

7.5

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Geeky Bot WordPress Plugin Missing Authorization Vulnerability Allowing Unauthenticated Arbitrary Plugin Installation and Remote Code Execution

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating