PT-2025-31474 · WordPress · Ai Engine Wordpress Plugin

Ismailshadow

Published

2025-07-31

Updated

2025-08-12

CVE-2025-7847

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions AI Engine plugin for WordPress versions 2.9.3 and 2.9.4

Description The AI Engine plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the rest simpleFileUpload() function. This allows authenticated attackers with Subscriber-level access and above to upload arbitrary files to the affected site’s server when the REST API is enabled, potentially leading to remote code execution.

Recommendations Update to a version of the AI Engine plugin for WordPress that addresses this issue. Disable the REST API if it is not required. As a temporary workaround, restrict access to the rest simpleFileUpload() function.

Fix

RCE

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2025-7847

Affected Products

Ai Engine Wordpress Plugin

PT-2025-31474 · WordPress · Ai Engine Wordpress Plugin

CVE-2025-7847

Weakness Enumeration

Related Identifiers

Affected Products

References · 14