Description
The AIHub theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the generate_image function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-04-19
Score: 9.8 Critical
EPSS: 2.1% Low
KEV: No
Impact: Remote File Upload with Potential Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The AI Hub WordPress theme contains a flaw in the generate_image function where user supplied files are not validated for type. This omission allows an attacker to upload arbitrary files, which could include malicious scripts, to the server. If the uploaded file is later executed, remote code execution becomes feasible.

Affected Systems

The vulnerability affects the LiquidThemes AI Hub WordPress theme, versions up to and including 1.3.7. Site owners running these versions are at risk if the generate_image endpoint remains publicly accessible.

Risk and Exploitability

The CVSS score of 9.8 denotes a high severity. With an EPSS score of 2%, exploitation is considered likely in the current threat landscape, and the vulnerability is not yet listed in CISA KEV. Attackers can reach the vulnerable endpoint without authentication, upload a crafted file, and then trigger execution through the server’s PHP interpreter or by placing the payload in a web‑executable directory.

Generated by OpenCVE AI on April 22, 2026 at 17:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the LiquidThemes AI Hub Theme to a version newer than 1.3.7.
  • If an update is not immediately available, restrict write permissions on the uploads directory so that only trusted roles can add files.
  • Disable or protect the generate_image endpoint—e.g., via a .htaccess rule or by removing the feature through theme or plugin settings.

Generated by OpenCVE AI on April 22, 2026 at 17:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15129 The AIHub theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the generate_image function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
History

Mon, 21 Apr 2025 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 19 Apr 2025 03:45:00 +0000

Type Values Removed Values Added
Description The AIHub theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the generate_image function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title AIHub <= 1.3.7 - Unauthenticated Arbitrary File Upload in generate_image
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:34:31.588Z

Reserved: 2025-02-06T19:54:04.137Z

Link: CVE-2025-1093

cve-icon Vulnrichment

Updated: 2025-04-21T02:43:43.691Z

cve-icon NVD

Status : Deferred

Published: 2025-04-19T04:15:21.733

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-1093

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:45:22Z

Weaknesses