Description
Unrestricted Upload of File with Dangerous Type vulnerability in WebFactory AiBud WP aibuddy-openai-chatgpt allows Upload a Web Shell to a Web Server.This issue affects AiBud WP: from n/a through <= 1.9.
Published: 2025-07-03
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in WebFactory AiBud WP permits an attacker to upload arbitrary files of dangerous types, enabling the placement of a web shell on the server. Once the shell is uploaded, the attacker could execute arbitrary commands, access sensitive data, or disrupt services, compromising the confidentiality, integrity, and availability of the affected WordPress site.

Affected Systems

The issue affects WordPress sites that use the AiBud WP plugin in any version up to and including 1.9. The plugin is distributed by WebFactory and is commonly integrated into WordPress installations for AI chatbot functionality.

Risk and Exploitability

With a CVSS score of 9.1 the vulnerability is classified as critical. The EPSS score of less than 1% indicates a low probability of exploitation at present, and the vulnerability is not listed in CISA KEV. Attackers can exploit the weakness by submitting a malicious file through the plugin’s upload interface, which does not enforce file type validation. This permits remote code execution via the uploaded web shell without additional privileges.

Generated by OpenCVE AI on May 1, 2026 at 07:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the AiBud WP plugin to a release newer than version 1.9 or apply the vendor’s patch.
  • If an update cannot be applied immediately, disable the plugin’s upload capability or restrict uploads to safe MIME types only.
  • Deploy a web application firewall rule or server‑side filtering to block the upload of executable files such as *.php, *.phtml, or similar extensions.
  • Regularly scan the web root and upload directories for unknown or suspicious files and remove any that are not part of the legitimate plugin deployment.

Generated by OpenCVE AI on May 1, 2026 at 07:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19896 Unrestricted Upload of File with Dangerous Type vulnerability in WPCenter AiBud WP allows Upload a Web Shell to a Web Server.This issue affects AiBud WP: from n/a through 1.8.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in WPCenter AiBud WP allows Upload a Web Shell to a Web Server.This issue affects AiBud WP: from n/a through 1.8.5. Unrestricted Upload of File with Dangerous Type vulnerability in WebFactory AiBud WP aibuddy-openai-chatgpt allows Upload a Web Shell to a Web Server.This issue affects AiBud WP: from n/a through <= 1.9.
Title WordPress AiBud WP plugin <= 1.8.5 - Arbitrary File Upload vulnerability WordPress AiBud WP plugin <= 1.9 - Arbitrary File Upload vulnerability
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Mon, 07 Jul 2025 09:00:00 +0000

Type Values Removed Values Added
References

Thu, 03 Jul 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 03 Jul 2025 19:00:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in WPCenter AiBud WP allows Upload a Web Shell to a Web Server.This issue affects AiBud WP: from n/a through 1.8.5.
Title WordPress AiBud WP plugin <= 1.8.5 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:26.704Z

Reserved: 2025-01-16T11:33:05.291Z

Link: CVE-2025-23968

cve-icon Vulnrichment

Updated: 2025-07-03T19:01:39.336Z

cve-icon NVD

Status : Deferred

Published: 2025-07-03T19:15:23.043

Modified: 2026-04-23T15:24:52.840

Link: CVE-2025-23968

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T07:15:11Z

Weaknesses