AI Engine < 3.3.3 – Editor+ Arbitrary File Upload | CVE 2026-1400 | Plugin Vulnerabilities

Description

The plugin is vulnerable to arbitrary file uploads due to missing file type validation in the `rest_helpers_update_media_metadata` function. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The attacker can upload a benign image file, then use the `update_media_metadata` endpoint to rename it to a PHP file, creating an executable PHP file in the uploads directory.

Affects Plugins

Fixed in 3.3.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/d5227269-4406-4fcf-af37-f1db0af857d6

Miscellaneous

Original Researcher

type5afe

Verified

No

WPVDB ID

b896dc1d-ce7d-4ed1-8661-b74a48d5d40f

Timeline

Publicly Published

2026-01-27 (about 2 months ago)

Added

2026-01-27 (about 2 months ago)

Last Updated

2026-01-27 (about 2 months ago)

Other

Published

Title

Published

2025-12-03

Title

GravityForms < 2.9.23.1 - Unauthenticated Arbitrary File Upload

Published

2024-11-13

Title

Convert Docx2post <= 1.4 - Authenticated (Author+) Arbitrary File Upload

Published

2024-10-17

Title

WP REST API FNS <= 1.0.0 - Unauthenticated Arbitrary File Upload

Published

2024-04-22

Title

ActiveDEMAND < 0.2.42 - Unauthenticated Arbitrary File Upload

Published

2025-07-23

Title

Ebook Store < 5.8013 - Unauthenticated Arbitrary File Upload