PT-2025-31474 · WordPress · Ai Engine Wordpress Plugin

Ismailshadow

Publicado

2025-07-31

Atualizado

2025-08-12

CVE-2025-7847

CVSS v3.1

8.8

Alta

Vetor

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions AI Engine plugin for WordPress versions 2.9.3 and 2.9.4

Description The AI Engine plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the rest simpleFileUpload() function. This allows authenticated attackers with Subscriber-level access and above to upload arbitrary files to the affected site’s server when the REST API is enabled, potentially leading to remote code execution.

Recommendations Update to a version of the AI Engine plugin for WordPress that addresses this issue. Disable the REST API if it is not required. As a temporary workaround, restrict access to the rest simpleFileUpload() function.

Correção

RCE

Unrestricted File Upload

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-434

Identificadores relacionados

CVE-2025-7847

Produtos afetados

Ai Engine Wordpress Plugin

PT-2025-31474 · WordPress · Ai Engine Wordpress Plugin

CVE-2025-7847

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 14