The AI Engine plugin for WordPress is vulnerable to unauthorized access and loss of data due to a missing capability check on the rest_list and delete_files functions in all versions up to, and including, 2.9.5. This makes it possible for unauthenticated attackers to list and delete files uploaded by other users.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Thu, 04 Sep 2025 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 03 Sep 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 03 Sep 2025 20:45:00 +0000

Type Values Removed Values Added
Description The AI Engine plugin for WordPress is vulnerable to unauthorized access and loss of data due to a missing capability check on the rest_list and delete_files functions in all versions up to, and including, 2.9.5. This makes it possible for unauthenticated attackers to list and delete files uploaded by other users.
Title Ai Engine <= 2.9.5 - Missing Authorization to Unauthenticated Uploaded Files Disclosure And Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2025-09-03T20:47:15.585Z

Reserved: 2025-07-27T14:53:48.378Z

Link: CVE-2025-8268

cve-icon Vulnrichment

Updated: 2025-09-03T20:47:10.761Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-09-03T21:15:33.357

Modified: 2025-09-04T15:35:29.497

Link: CVE-2025-8268

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-09-04T13:12:16Z