A critical vulnerability has been identified in the AI Engine plugin for WordPress, specifically affecting its free version with over 50,000 active installations.
The plugin is widely recognized for its various AI-related features, allowing users to create chatbots, manage content, and use various AI tools such as translation, SEO, etc.
According to an advisory published today by Patchstack, the security flaw in question is an unauthenticated arbitrary file upload vulnerability in the plugin’s rest_upload function within the files.php module.
The vulnerability allows any unauthenticated user to upload arbitrary files, including potentially malicious PHP files, which could lead to remote code execution on the affected system.
Notably, the permission_callback parameter of the affected REST API endpoint is set to __return_true, allowing any unauthenticated user to trigger the vulnerable function. Lack of proper file type and extension validation in the code allows arbitrary files to be uploaded, posing a significant security risk.
Learn more about WordPress security: WordPress Backup Migration Plugin Flaw Affects 90,000 Sites
To mitigate this vulnerability, the plugin development team introduced a fix in version 1.9.99. The fix implements a permissions check on the custom REST API endpoint and integrates file type and extension checks using the wp_check_filetype_and_ext function.
In light of these findings, users are strongly advised to update their AI Engine plugin to at least version 1.9.99 to ensure their systems are protected from potential exploitation. CVE-2023-51409 has been assigned to track the issue.
“Always check each process $_FILES settings in the plugin or theme code,” reads the Patch Stack Reviews. “Make sure to check the file name and extension before downloading the file. Also pay close attention to permission checks on custom REST API endpoints.