PT-2024-37638 · WordPress+1 · Ai Engine Wordpress Plugin+1
Karolis Narvilas
·
Published
2024-08-18
·
Updated
2024-08-23
·
CVE-2024-6451
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
AI Engine versions < 2.4.3
AI Engine WordPress plugin versions prior to 2.5.1
Description
The issue is related to remote-code-execution (RCE) via Log Poisoning. The AI Engine WordPress plugin fails to validate the file extension of
logs path, allowing Administrators to change log filetypes from .log to .php. This can lead to potential security risks.Recommendations
For AI Engine versions < 2.4.3, update to version 2.4.3 or later to resolve the issue.
For AI Engine WordPress plugin versions prior to 2.5.1, update to version 2.5.1 or later to resolve the issue.
As a temporary workaround, consider restricting access to the
logs path variable to minimize the risk of exploitation.Exploit
Fix
RCE
Insertion into Log File
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ai Engine
Ai Engine Wordpress Plugin