Server-Side Request Forgery in AI Engine Plugin for WordPress
CVE-2026-0746
6.4MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 27 January 2026
What is CVE-2026-0746?
The AI Engine plugin for WordPress contains a vulnerability that allows authenticated users with Subscriber-level access or higher to exploit the 'get_audio' function to perform Server-Side Request Forgery (SSRF) attacks. This could enable them to make unauthorized web requests to arbitrary locations from the web application. If the 'Public API' feature is enabled and the 'allow_url_fopen' setting is activated on the server, this could lead to sensitive internal services being queried or modified, increasing the risk of data exposure and further attacks.
Affected Version(s)
AI Engine β The Chatbot, AI Framework & MCP for WordPress 0 <= 3.3.2