Arbitrary File Upload Vulnerability in AI Engine Plugin for WordPress
CVE-2025-7847
Key Information:
Badges
What is CVE-2025-7847?
The AI Engine plugin for WordPress contains a security flaw that allows authenticated users with Subscriber-level access and higher to upload unauthorized files to the server. This vulnerability arises from the absence of proper file type validation in the rest_simpleFileUpload() function, specifically within versions 2.9.3 and 2.9.4. With the REST API enabled, this could potentially lead to remote code execution, posing a serious risk to the site's integrity and security.
Affected Version(s)
AI Engine 2.9.3 <= 2.9.4
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved