WordPress Plugin Vulnerabilities

AiBud WP <= 1.9 - Admin+ Arbitrary File Upload

Description

The plugin is vulnerable to arbitrary file uploads due to missing file type validation. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Plugin icon
aibuddy-openai-chatgpt
No known fix

References

CVE
CVE-2025-23968
URL
https://patchstack.com/database/wordpress/plugin/aibuddy-openai-chatgpt/vulnerability/wordpress-aibud-wp-plugin-1-8-5-arbitrary-file-upload-vulnerability

Miscellaneous

Original Researcher
Ryan Kozak
Verified
No
WPVDB ID
3dc81a52-cba8-4c34-8393-2e56c892dfd8

Timeline

Publicly Published
2025-07-03 (about 11 months ago)
Added
2025-07-08 (about 11 months ago)
Last Updated
2025-08-05 (about 10 months ago)

Other

Published
Title
Published
2025-09-16
Title
StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More < 1.5.1 - Authenticated (Subscriber+) Arbitrary File Upload
Published
2021-03-26
Title
N5 Upload Form <= 1.0 - Unauthenticated Arbitrary File Upload to RCE
Published
2014-08-01
Title
SFBrowser 1.4.5 - connectors/php/sfbrowser.php File Upload PHP Code Execution
Published
2014-08-01
Title
Premium Gallery Manager - Shell Upload
Published
2024-12-18
Title
WP SuperBackup < 2.4 - Unauthenticated Arbitrary File Upload