WordPress AI Engine plugin puts 50k sites at risk
Take action: If you are using AI Engine WordPress plugin update immediately to version 1.9.99. The plugin is inherently visible on the internet and will be very quickly exploited by automated tools of the cybercrime groups.
Learn More
A security issue has been detected in the AI Engine plugin for WordPress, particularly in its free variant, which is currently active on over 50,000 sites. This plugin is highly valued for its range of AI capabilities, enabling the creation of chatbots, content management, and the use of various AI tools like translation and SEO optimization.
The cybersecurity organization Patchstack reported a vulnerability tracked as CVE-2023-51409. This flaw, an unauthenticated arbitrary file upload vulnerability, is found within the plugin's `rest_upload` function, located in the `files.php` module. The critical issue allows any user, even without authentication, to upload files of any kind, including potentially harmful PHP files. This could lead to unauthorized code execution on the system hosting the plugin.
To address this issue, the developers of the AI Engine plugin released a fix in version 1.9.99. This update introduces a permission verification for the custom REST API endpoint and integrates checks for file types and extensions using the `wp_check_filetype_and_ext` function.
It is highly recommended that users promptly upgrade their AI Engine plugin to version 1.9.99 or later to secure their systems against possible attacks.
