A critical vulnerability has been identified in the AI Engine plugin for WordPress, specifically affecting its free version with over 50,000 active installations. 

The plugin is widely recognized for its diverse AI-related functionalities, allowing users to create chatbots, manage content and utilize various AI tools such as translation, SEO and more. 

According to an advisory published today by Patchstack, the security flaw in question is an unauthenticated arbitrary file upload vulnerability in the plugin’s rest_upload function within the files.php module.

The vulnerability permits any unauthenticated user to upload arbitrary files, including potentially malicious PHP files, which could lead to remote code execution on the affected system. 

Notably, the permission_callback parameter of the relevant REST API endpoint is set to __return_true, allowing any unauthenticated user to trigger the vulnerable function. The lack of proper file type and extension validation in the code allows for the upload of arbitrary files, posing a significant security risk.

Read more on WordPress security: Backup Migration WordPress Plugin Flaw Impacts 90,000 Sites

To mitigate this vulnerability, the plugin’s development team introduced a patch in version 1.9.99. The patch implements a permission check on the custom REST API endpoint and incorporates file type and extension checks using the wp_check_filetype_and_ext function.

In light of these findings, users are strongly advised to update their AI Engine plugin to at least version 1.9.99 to ensure their systems are protected against potential exploitation. The identifier CVE-2023-51409 has been assigned to track the issue.

“Always check every process of $_FILES parameters in the plugin or theme code,” reads the Patchstack advisory. “Make sure to apply a check on the filename and extension before uploading the file. Also, pay extra attention to the permission checks on the custom REST API endpoints.”