CVE-2025-13380

Name of the Vulnerable Software and Affected Versions AI Engine for WordPress: ChatGPT, GPT Content Generator plugin for WordPress versions up to and including 1.0.1

Description The software contains a flaw that allows authenticated attackers with Contributor-level access or higher to read arbitrary files on the server. This is due to inadequate validation of file paths provided by users in the lqdai update post API endpoint and the use of the file get contents() function with user-controlled URLs lacking protocol restrictions within the insert image() function. This could expose sensitive information contained in those files.

Recommendations Versions prior to and including 1.0.1 should be updated. As a temporary workaround, restrict access to the lqdai update post API endpoint. Avoid using user-controlled URLs with the file get contents() function.