Name of the Vulnerable Software and Affected Versions:

AI Engine plugin for WordPress versions 2.9.3 through 2.9.4

Description:

The AI Engine plugin for WordPress is susceptible to arbitrary file uploads due to missing file type validation in the `rest simpleFileUpload()` function. This allows authenticated attackers with Subscriber-level access or higher to upload arbitrary files to the affected site’s server when the REST API is enabled, potentially leading to remote code execution.

Recommendations:

Update to a version of the AI Engine plugin for WordPress that addresses this issue.

Disable the REST API if it is not required.

Restrict access to the `rest simpleFileUpload()` function.