CVE-2025-7780

Name of the Vulnerable Software and Affected Versions AI Engine plugin for WordPress versions through 2.9.4

Description The AI Engine plugin for WordPress is susceptible to sensitive information exposure. The simpleTranscribeAudio API endpoint does not properly restrict URL schemes before invoking the get audio() function. This allows authenticated attackers with Subscriber-level access or higher to read arbitrary files on the web server and potentially exfiltrate them through the plugin’s OpenAI API integration.

Recommendations Update the AI Engine plugin to a version newer than 2.9.4. As a temporary workaround, restrict access to the simpleTranscribeAudio endpoint.