PT-2024-15760 · WordPress · The Ai Engine: Chatbots
Rootxsudip
+1
·
Published
2024-02-05
·
Updated
2024-02-13
·
CVE-2024-0699
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
The AI Engine: Chatbots, Generators, Assistants, GPT 4 and more! plugin for WordPress versions up to, and including, 2.1.4
Description
The issue is related to arbitrary file uploads due to missing file type validation in the
add image from url function. This allows authenticated attackers with Editor access and above to upload arbitrary files on the affected site's server, potentially making remote code execution possible.Recommendations
For versions up to, and including, 2.1.4, update to a version that includes a fix for the missing file type validation in the
add image from url function to prevent arbitrary file uploads.
As a temporary workaround, consider restricting access to the add image from url function for users with Editor access and above until a patch is available.Fix
RCE
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
The Ai Engine: Chatbots