Emiliano Versini

**Name of the Vulnerable Software and Affected Versions** AI Engine plugin for WordPress versions prior to 3.1.4 AI Engine versions 2.8.x and 2.9.x prior to 2.9.5 **Description** The AI Engine plugin for WordPress has a Sensitive Information Exposure issue via the /mcp/v1/ REST API endpoint. When the 'No-Auth URL' option is enabled, this endpoint exposes the 'Bearer Token' value. Successful exploitation allows unauthenticated attackers to obtain the bearer token, granting them access to a valid session and the ability to perform actions such as creating a new administrator account, leading to privilege escalation. The vulnerability affects versions up to and including 3.1.3. Prior builds also contained privilege-escalation issues, allowing low-level users to create new admin accounts or upload arbitrary PHP files via REST endpoints. The `/mcp/v1/` API endpoint is involved in this exposure. The `Bearer Token` is the vulnerable parameter. **Recommendations** Update the AI Engine plugin to version 3.1.4 or later. If using versions 2.8.x or 2.9.x, update to at least version 2.9.5. Rotate existing tokens and API keys, assuming they may be compromised. Audit user roles to ensure Subscribers and Contributors do not have upload or plugin modification permissions. Block `.php` execution in `/wp-content/uploads/`. Disable unused REST routes. Verify the integrity of existing backups and test restoration procedures.

Name of the Vulnerable Software and Affected Versions: Secure Downloads WordPress plugin versions prior to 1.2.3 Description: The issue allows authenticated attackers with admin-level access and above to download arbitrary files, potentially containing sensitive information, such as the wp-config.php file. This is due to the plugin not properly restricting which files can be downloaded. Recommendations: For Secure Downloads WordPress plugin versions prior to 1.2.3, update to version 1.2.3 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive files and directories to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Download Manager plugin for WordPress versions up to, and including, 3.3.03 **Description** The issue allows unauthorized download of password-protected content due to improper password validation on the `checkFilePassword` function. This makes it possible for unauthenticated attackers to download password-protected files. **Recommendations** For versions up to, and including, 3.3.03, update to a version later than 3.3.03 to resolve the issue. As a temporary workaround, consider disabling the `checkFilePassword` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** AI Engine WordPress plugin versions prior to 2.6.5 **Description** The issue concerns a failure to properly sanitize and escape a parameter from one of the plugin's RESP API endpoints before using it in a SQL statement. This allows administrators to perform SQL injection attacks. **Recommendations** For versions prior to 2.6.5, update to version 2.6.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoint until a patch is applied. Avoid using the vulnerable parameter in the affected API endpoint until the issue is resolved.