Gavin Rosenbush

**Name of the Vulnerable Software and Affected Versions** All-Images.ai – IA Image Bank and Custom Image creation plugin for WordPress versions up to, and including, 1.0.4 **Description** The issue is related to arbitrary file uploads due to missing file type validation in the ` get image by url` function. This allows authenticated attackers with Subscriber-level access and above to upload arbitrary files on the affected site's server, potentially making remote code execution possible. **Recommendations** For versions up to, and including, 1.0.4, update to a version that includes a fix for the missing file type validation in the ` get image by url` function. As a temporary workaround, consider disabling the ` get image by url` function until a patch is available.