Arbitrary File Upload Vulnerability in AI Engine for WordPress
CVE-2026-1400
7.2HIGH
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 28 January 2026
What is CVE-2026-1400?
The AI Engine, a chatbot and AI framework plugin for WordPress, is prone to an arbitrary file upload vulnerability due to insufficient validation of file types in the rest_helpers_update_media_metadata function. This flaw permits authenticated users with Editor-level access and higher to upload potentially harmful files onto the server. An attacker could upload a harmless image and later exploit the update_media_metadata endpoint to rename the file to a PHP executable, leading to the execution of malicious code in the site's uploads directory.
Affected Version(s)
AI Engine β The Chatbot, AI Framework & MCP for WordPress 0 <= 3.3.2