AI Engine < 3.1.9 – Authenticated (Editor+) Server-Side Request Forgery | CVE 2025-8084 | Plugin Vulnerabilities

Description

The AI Engine plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.1.8 via the rest_helpers_create_images function. This makes it possible for authenticated attackers, with Editor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. On Cloud instances, this issue allows for metadata retrieving.

Affects Plugins

Fixed in 3.1.9

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/3b497bc0-bf47-43c7-9d5f-8e130dd0bab2

Classification

Type

SSRF

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Jonas Benjamin Friedli

Verified

No

WPVDB ID

c0556ba5-096a-48ba-b4b5-2207c94ccc80

Timeline

Publicly Published

2025-11-18 (about 5 months ago)

Added

2025-11-18 (about 5 months ago)

Last Updated

2025-11-18 (about 5 months ago)

Other

Published

Title

Published

2025-07-01

Title

Amazon Products to WooCommerce <= 1.2.7 - Unauthenticated Server-Side Request Forgery

Published

2024-04-22

Title

Embed Google Photos album < 2.2.1 - Authenticated (Contributor+) Server-Side Request Forgery

Published

2014-05-28

Title

Jrss Widget <= 1.2 - SSRF

Published

2022-09-05

Title

Post SMTP < 2.1.7 - Admin+ Blind SSRF

Published

2021-04-13

Title

WP Smart Import < 1.0.1 - Auhenticated Server-side Request Forgery