A safety advisory was issued for the AI Engine WordPress plugin, put in on over 100,000 web sites, the fourth one this month. Rated 8.8, this vulnerability permits attackers with solely subscriber-level authentication to add malicious recordsdata when the REST API is enabled.
AI Engine Plugin: Fifth Vulnerability In 2025
That is the fourth vulnerability found within the AI Engine plugin in July, following the primary one of many yr found in June, making a complete of 5 vulnerabilities found within the plugin thus far in 2025. There have been 9 vulnerabilities found in 2024, one among which was rated 9.8 as a result of it enabled unauthenticated attackers to add malicious recordsdata, plus one other rated 9.1 that additionally enabled arbitrary uploads.
Authenticated (Subscriber+) Arbitrary File Add
The most recent vulnerability permits authenticated file uploads. What makes this exploit extra harmful is that it requires solely subscriber-level authentication for an attacker to benefit from the safety weak spot. That isn’t as unhealthy as a vulnerability that doesn’t require authentication, but it surely’s nonetheless rated 8.8 on a scale of 1 to 10.
Wordfence describes the vulnerability as being attributable to lacking file sort validation in a perform associated to the REST API in variations 2.9.3 and a couple of.9.4.
File sort validation is a safety measure usually used inside WordPress to ensure that the content material of a file matches the kind of file being uploaded to the web site.
In line with Wordfence:
“This makes it attainable for authenticated attackers, with Subscriber-level entry and above, to add arbitrary recordsdata on the affected web site’s server when the REST API is enabled, which can make distant code execution attainable.”
Customers of the AI Engine plugin are really useful updating their plugin to the most recent model, 2.9.5, or a more moderen model.
The plugin changelog for model 2.9.5 shares what was up to date:
“Repair: Resolved a safety subject associated to SSRF by validating URL schemes in audio transcription and sanitizing REST API parameters to forestall API key misuse.
Repair: Corrected a crucial safety vulnerability that allowed unauthorized file uploads by including strict file sort validation to forestall PHP execution.”
Featured Picture by Shutterstock/Jiri Hera
