CVE-2026-1400

Name of the Vulnerable Software and Affected Versions The AI Engine – The Chatbot and AI Framework for WordPress plugin versions prior to 3.3.3

Description The AI Engine – The Chatbot and AI Framework for WordPress plugin is susceptible to arbitrary file uploads because of a lack of file type validation. This flaw exists in the rest helpers update media metadata function. Authenticated attackers with Editor-level access or higher can upload arbitrary files to the server, potentially leading to remote code execution. An attacker can upload an image file and then use the update media metadata API endpoint to rename it to a PHP file, effectively creating an executable PHP file within the uploads directory. The vulnerable API endpoint is /wp-json/aiengine/v1/rest helpers update media metadata. The vulnerable variable is file.

Recommendations Update The AI Engine – The Chatbot and AI Framework for WordPress plugin to version 3.3.3 or later. As a temporary workaround, restrict access to the update media metadata API endpoint for users with Editor-level access and above. Disable the rest helpers update media metadata function if possible.