Arbitrary File Upload Vulnerability in AI Engine for WordPress
CVE-2026-1400

7.2HIGH

Key Information:

Vendor

WordPress
Status
Ai Engine – The Chatbot And Ai Framework For WordPress
Vendor
CVE Published:
28 January 2026

What is CVE-2026-1400?

The AI Engine, a chatbot and AI framework plugin for WordPress, is prone to an arbitrary file upload vulnerability due to insufficient validation of file types in the rest_helpers_update_media_metadata function. This flaw permits authenticated users with Editor-level access and higher to upload potentially harmful files onto the server. An attacker could upload a harmless image and later exploit the update_media_metadata endpoint to rename the file to a PHP executable, leading to the execution of malicious code in the site's uploads directory.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

AI Engine – The Chatbot and AI Framework for WordPress * <= 3.3.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/ai-engine/tags...
https://plugins.trac.wordpress.org/browser/ai-engine/tags...

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

M Indra Purnama
JSON
.