WordPress Plugin Vulnerabilities

AI Engine: ChatGPT Chatbot < 2.2.70 - Authenticated (Editor+) Arbitrary File Upload

Description

The AI Engine plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.2.63. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Plugin icon
ai-engine
Fixed in 2.2.70

References

CVE
CVE-2024-34440
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9715d1b2-1d82-4f48-89c3-9a389ab31360

Miscellaneous

Original Researcher
stealthcopter
Verified
No
WPVDB ID
99a50e78-fca4-4b11-a333-357c67b17eae

Timeline

Publicly Published
2024-05-07 (about 2 years ago)
Added
2024-05-16 (about 1 year ago)
Last Updated
2024-05-16 (about 1 year ago)

Other

Published
Title
Published
2025-09-29
Title
Qyrr – simply and modern QR-Code creation < 2.0.8 - Authenticated (Contributor+) Arbitrary File Upload
Published
2021-10-13
Title
Brizy < 2.3.12 - Authenticated File Upload and Path Traversal
Published
2014-08-01
Title
Pica Photo Gallery - Arbitrary File Upload
Published
2025-04-15
Title
MapSVG Lite < 8.6.5 - Contributor+ Arbitrary File Upload
Published
2024-10-15
Title
File Manager Pro < 8.3.10 - Unauthenticated Backup File Download and Upload