Arbitrary File Read Vulnerability in AI Engine for WordPress by ChatGPT
CVE-2025-13380

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Ai Engine For WordPress: Chatgpt, Gpt Content Generator
Vendor: CVE Published:; 25 November 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-13380?

The AI Engine for WordPress: ChatGPT plugin is susceptible to an Arbitrary File Read vulnerability due to inadequate validation of user-supplied file paths in the 'lqdai_update_post' AJAX endpoint. This issue arises from the improper use of file_get_contents() with URLs controlled by users without proper protocol restrictions within the insert_image() function. Consequently, authenticated users with Contributor-level access and higher can exploit this vulnerability to access arbitrary files on the server, potentially disclosing sensitive information.

Affected Version(s)

AI Engine for WordPress: ChatGPT, GPT Content Generator * <= 1.0.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-13380
Created by d0n601

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/liquid-chatgpt...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 25, 2025
🟡
Public PoC available
Nov 20, 2025
👾
Exploit known to exist
Nov 20, 2025
Vulnerability Reserved
Nov 18, 2025

Credit

Ryan Kozak

JSON