WordPress Plugin Vulnerabilities

AI Engine < 2.1.5 - Editor+ Arbitrary File Upload via add_image_from_url

Description

The plugin is vulnerable to arbitrary file uploads due to missing file type validation in the 'add_image_from_url' function in all versions up to, and including, 2.1.4. This makes it possible for authenticated attackers, with Editor access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Plugin icon
ai-engine
Fixed in 2.1.5

References

CVE
CVE-2024-0699
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/0a86f6ed-9755-4265-bc0d-2d0e18e9982f

Miscellaneous

Original Researcher
rootxsudip
Verified
No
WPVDB ID
907abe84-0ac5-43d5-bbbc-d32c34cc3fa5

Timeline

Publicly Published
2024-01-18 (about 2 years ago)
Added
2024-01-20 (about 2 years ago)
Last Updated
2024-01-20 (about 2 years ago)

Other

Published
Title
Published
2025-09-08
Title
Doccure Core < 1.5.4 - Unauthenticated Arbitrary File Upload
Published
2014-08-01
Title
Rich Widget - File Upload
Published
2024-11-20
Title
Pathomation <= 2.5.1 - Unauthenticated Arbitrary File Upload
Published
2024-01-30
Title
WordPress < 6.4.3 - Admin+ PHP File Upload
Published
2014-08-01
Title
Wordpress Levo-Slideshow - Arbitrary File Upload