Two serious WordPress security vulnerabilities broke this week, and they affect sites running AI plugins. WordPress 7.0, released May 20, 2026, ships a new AI infrastructure layer that stores API credentials in the WordPress database. Within 48 hours of launch, a live bug was confirmed that exposes those keys through browser autofill on the admin setup form. Separately, the AIWU plugin has three unpatched CVEs including a critical SQL injection flaw. If your site runs AI integrations, read this now.
WordPress 7.0 and the AI API Key Problem
WordPress 7.0 “Armstrong” ships with the WP AI Client, an Abilities API, and an AI Services Registry. The idea is straightforward: plugins can register AI service connections through a standard interface, and those connections get stored in the WordPress database. Site owners configure their OpenAI, Claude, or Gemini API keys through a settings page in wp-admin.
The problem is what happens when those keys are stored in the database. WordPress powers 43% of all websites. That means hundreds of millions of sites now have a new category of high-value credential sitting in wp_options. Patchstack founder Oliver Sild warned immediately that “there will be an absolute rush by hackers to steal API keys.” He was not being dramatic. API keys for OpenAI, Anthropic, and Google can be worth tens of thousands of dollars when used to run AI bot networks for social engineering and fraud.
Within 48 hours of the WordPress 7.0 release, a confirmed bug demonstrated that browser autofill can visually expose API keys on the wp-admin AI setup form. The key populates into a visible field during autofill and can be captured through JavaScript if the admin session is compromised. The underlying issue is that WordPress’s secrets management was not designed for credentials of this sensitivity.
CVE-2026-2955: AIWU Plugin Stored XSS
CVE-2026-2955 is a stored cross-site scripting flaw in the AI Chatbot and Workflow Automation by AIWU plugin for WordPress. It affects all versions up to and including 1.4.17. A logged-in user with contributor-level access or higher can inject persistent JavaScript into content fields. That script runs in the browser of any admin or visitor who views the affected content.
Stored XSS is more dangerous than reflected XSS because the payload does not need a victim to click a crafted link. The malicious script sits in the database and fires automatically whenever the page loads. An attacker who exploits this can steal session cookies, hijack admin sessions, redirect visitors, or place credential-harvesting code on the site.
No complete fix is available yet. If you run AIWU, your options right now are to deactivate the plugin, apply a WAF rule to block requests to the vulnerable endpoints, or wait for a patch above version 1.4.17.
CVE-2026-2993: AIWU Plugin SQL Injection
The same plugin has a second, more serious flaw. CVE-2026-2993 is an unauthenticated SQL injection in the AIWU plugin’s getListForTbl() function. No login is required to exploit it. An attacker sends a crafted HTTP request and appends additional SQL to the query. This can extract usernames, hashed passwords, API keys, and any other data stored in the WordPress database.
The CVSS score is 9.3, which puts it in the critical range. A partial mitigation was added in version 1.4.11 with a nonce check, but the nonce is only available to administrators. Unauthenticated attack paths remain open on all versions through 1.4.17.
If exploitation is suspected, rotate all database credentials and WordPress admin passwords immediately. Also audit the wp_users table for accounts that should not be there.
WordPress 7.0 AI Key Exposure: What Actually Happens
The AI API key exposure in WordPress 7.0 is not a simple plugin bug. It reflects a deeper architectural issue. WordPress was built to store post content and settings, not high-value secrets. The wp_options table has always been a target for attackers. Every SQL injection, database backup, or plugin that reads options can now potentially access AI credentials worth real money.
The browser autofill exposure is specific: when an admin visits the AI settings page and their browser autofills the API key field, the value briefly appears in a text input. If the admin session is compromised through a separate XSS flaw or session hijack, that visible value can be captured by malicious JavaScript running on the page. It is a compound attack chain, not a standalone trivial bug. But Patchstack’s 2026 State of WordPress Security report makes the risk real: the median time to mass exploitation of high-impact WordPress vulnerabilities is five hours, and 46% of plugin vulnerabilities have no patch at the time of public disclosure.
What to Do Right Now
For sites running AIWU, take these steps immediately:
# Check your AIWU plugin version from command line
wp plugin get aiwu --field=version --allow-root
# Deactivate immediately if version is 1.4.17 or below
wp plugin deactivate aiwu --allow-root
# Check for unexpected admin accounts
wp user list --role=administrator --allow-rootFor all WordPress sites using AI plugins with API keys stored in the database:
- Check wp-admin for any API keys you have configured. Note which services they belong to.
- Rotate those keys immediately through the provider dashboard. OpenAI, Anthropic, and Google all let you revoke and regenerate keys in under two minutes.
- Avoid storing keys in the database at all where possible. Use environment variables through
wp-config.phpfor sensitive credentials:define('OPENAI_API_KEY', getenv('OPENAI_API_KEY')); - Install a WAF plugin like Wordfence or apply server-level WAF rules through your hosting panel if you cannot patch the plugin immediately.
- Review your WordPress user list and remove any accounts that should not have contributor access or higher.
For the WordPress 7.0 AI autofill issue specifically, the workaround is to use a password manager to fill API keys rather than browser autofill, and to ensure no persistent XSS payloads exist on your admin pages by auditing content with contributor-level access.
The Bigger Picture for 2026
This week’s WordPress security vulnerabilities are part of a pattern. The average WordPress site faces 172 attack attempts per day in 2026. WordPress vulnerabilities increased 34% year over year. The arrival of AI integrations adds a new incentive layer: a compromised WordPress site now potentially hands attackers access to paid AI compute worth far more than the site itself.
WordPress co-founder Matt Mullenweg responded to the concerns by noting the “vast majority” of WordPress sites are secure and that he has run sites for over 20 years without a breach. That is true for well-maintained sites. But the concern from the security community is about the millions of sites that are not well-maintained and now have high-value AI credentials sitting in an exposed database.
The practical takeaway is the same as it has always been for WordPress: keep core updated, audit your plugins aggressively, remove anything unused, and apply server-level hardening. For the server side of that hardening, see our Linux server hardening checklist which covers the firewall, SSH, and WAF configuration that protects the server your WordPress runs on. If you are also working through kernel-level vulnerabilities on the same server, check our guide on patching CVE-2026-31431 Copy Fail.
Summary
Two things to act on today. First, deactivate the AIWU plugin if your version is 1.4.17 or below. Both CVE-2026-2955 (stored XSS) and CVE-2026-2993 (unauthenticated SQL injection, CVSS 9.3) are unpatched. Second, rotate any AI API keys stored in your WordPress database and move them to environment variables where possible. WordPress security vulnerabilities involving AI credentials are now a high-value target. The economics of exploitation have changed. Treat your API keys with the same urgency as database passwords.