Arbitrary File Upload Vulnerability in Aiomatic Plugin for WordPress
CVE-2025-6206

7.5HIGH

Key Information:

Vendor: WordPress
Status: Aiomatic - Automatic Ai Content Writer & Editor, Gpt-3 & Gpt-4, Chatgpt Chatbot & Ai Toolkit
Vendor: CVE Published:; 24 June 2025

What is CVE-2025-6206?

The Aiomatic - Automatic AI Content Writer & Editor for WordPress is susceptible to an arbitrary file upload issue due to a failure in proper file type validation within the 'aiomatic_image_editor_ajax_submit' function. This vulnerability affects all versions up to and including 2.5.0. Authenticated attackers with a Subscriber-level access or higher can exploit this flaw to upload arbitrary files on the server, potentially leading to remote code execution. Successful exploitation requires that an arbitrary value be supplied for the Stability.AI API key, thereby enabling attackers to take control of the affected site's environment.

Affected Version(s)

Aiomatic - Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit * <= 2.5.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://codecanyon.net/item/aiomatic-automatic-ai-content...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2025
Vulnerability Reserved
Jun 17, 2025

Credit

Tran Nguyen Bao Khanh (from VCI - VNPT Cyber Immunity)