The UltimateAI plugin for WordPress suffers from an authentication bypass vulnerability (CWE-288) due to insufficient verification of the user parameter in the 'ultimate_ai_register_or_login_with_google' function. This flaw allows unauthenticated attackers to impersonate any existing user on the site, including administrators, by leveraging knowledge of the user's email address. The vulnerability affects all versions up to and including 2.8.3. It has a CVSS 3.1 base score of 9.8, reflecting its critical severity with network attack vector, no required privileges, and no user interaction needed. No patch or official fix has been disclosed yet, and the product is not a cloud service, so remediation depends on vendor updates.

Successful exploitation allows an unauthenticated attacker to bypass authentication controls and log in as any user, including administrators, leading to full compromise of the affected WordPress site. This includes complete confidentiality, integrity, and availability impact as indicated by the CVSS vector (C:H/I:H/A:H). The attacker can gain unauthorized administrative access, potentially leading to site defacement, data theft, or further malicious activity.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling the UltimateAI plugin or restricting access to the affected functionality if possible. Monitor vendor channels for updates and apply patches promptly once available. No vendor advisory or patch links are currently provided.