Arbitrary File Upload Vulnerability in AI Engine Plugin for WordPress
CVE-2025-7847
8.8HIGH
What is CVE-2025-7847?
The AI Engine plugin for WordPress contains a security flaw that allows authenticated users with Subscriber-level access and higher to upload unauthorized files to the server. This vulnerability arises from the absence of proper file type validation in the rest_simpleFileUpload() function, specifically within versions 2.9.3 and 2.9.4. With the REST API enabled, this could potentially lead to remote code execution, posing a serious risk to the site's integrity and security.
Affected Version(s)
AI Engine 2.9.3 <= 2.9.4