WordPress Plugin Vulnerabilities

AI Engine 2.9.3 - 2.9.4 - Subscriber+ Arbitrary File Upload

Description

The plugin is vulnerable to arbitrary file uploads due to missing file type validation in the rest_simpleFileUpload() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server when the REST API is enabled, which may make remote code execution possible.

Affects Plugins

Plugin icon
ai-engine
Fixed in 2.9.5

References

CVE
CVE-2025-7847
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/1c1c7ec9-d01f-433d-abec-dc2b6ff684c7

Miscellaneous

Original Researcher
ISMAILSHADOW
Verified
No
WPVDB ID
bf939793-d7a8-4d62-80ea-7420541b4ea1

Timeline

Publicly Published
2025-07-30 (about 9 months ago)
Added
2025-07-30 (about 9 months ago)
Last Updated
2025-07-30 (about 9 months ago)

Other

Published
Title
Published
2021-10-21
Title
Envato Elements < 2.0.11 - Contributor+ Arbitrary File Upload
Published
2025-03-07
Title
SMTP by BestWebSoft < 1.2.0 - Authenticated (Administrator+) Arbitrary File Upload
Published
2025-09-17
Title
Medcity < 1.1.9 - Unauthenticated Arbitrary File Upload
Published
2016-06-22
Title
Contus Video Comments - Unauthenticated Remote JPG File Upload
Published
2024-10-25
Title
Ajar in5 Embed < 3.1.4 - Unauthenticated Arbitrary File Upload