A safety advisory was issued for the AI Engine WordPress plugin, put in on over 100,000 web sites, the fourth one this month. Rated 8.8, this vulnerability permits attackers with solely subscriber-level authentication to add malicious information when the REST API is enabled.
AI Engine Plugin: Fifth Vulnerability In 2025
That is the fourth vulnerability found within the AI Engine plugin in July, following the primary one of many 12 months found in June, making a complete of 5 vulnerabilities found within the plugin up to now in 2025. There have been 9 vulnerabilities found in 2024, certainly one of which was rated 9.8 as a result of it enabled unauthenticated attackers to add malicious information, plus one other rated 9.1 that additionally enabled arbitrary uploads.
Authenticated (Subscriber+) Arbitrary File Add
The most recent vulnerability permits authenticated file uploads. What makes this exploit extra harmful is that it requires solely subscriber-level authentication for an attacker to make the most of the safety weak spot. That isn’t as unhealthy as a vulnerability that doesn’t require authentication, however it’s nonetheless rated 8.8 on a scale of 1 to 10.
Wordfence describes the vulnerability as being attributable to lacking file sort validation in a perform associated to the REST API in variations 2.9.3 and a couple of.9.4.
File sort validation is a safety measure usually used inside WordPress to be sure that the content material of a file matches the kind of file being uploaded to the web site.
In line with Wordfence:
“This makes it doable for authenticated attackers, with Subscriber-level entry and above, to add arbitrary information on the affected website’s server when the REST API is enabled, which can make distant code execution doable.”
Customers of the AI Engine plugin are beneficial updating their plugin to the most recent model, 2.9.5, or a more moderen model.
The plugin changelog for model 2.9.5 shares what was up to date:
“Repair: Resolved a safety challenge associated to SSRF by validating URL schemes in audio transcription and sanitizing REST API parameters to stop API key misuse.
Repair: Corrected a vital safety vulnerability that allowed unauthorized file uploads by including strict file sort validation to stop PHP execution.”
Featured Picture by Shutterstock/Jiri Hera
