Description
The AI Engine plugin for WordPress is vulnerable to unauthorized access and loss of data due to a missing capability check on the rest_list and delete_files functions in all versions up to, and including, 2.9.5. This makes it possible for unauthenticated attackers to list and delete files uploaded by other users.
Published: 2025-09-03
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data disclosure and deletion via missing authorization checks
Action: Update Plugin
AI Analysis

Impact

The AI Engine plugin for WordPress lets an unauthenticated attacker list and delete files that other users have uploaded because a capability check is missing in the rest_list and delete_files functions. This flaw can compromise the confidentiality of user–uploaded content and damage integrity by removing legitimate files. It represents a classic missing authorization weakness (CWE‑862).

Affected Systems

WordPress sites that use the AI Engine – The Chatbot, AI Framework & MCP for WordPress plugin, versions up to and including 2.9.5 are affected.

Risk and Exploitability

With a CVSS score of 6.5 the vulnerability is moderate, but its EPSS score of <1 % indicates a very low exploitation likelihood. The flaw is not listed in the CISA KEV catalog. Attackers would need to hit the vulnerable REST endpoints, which are currently accessible to anyone, and then supply the appropriate file identifiers to list or delete them. Because authentication is bypassed, the impact is limited primarily to the files owned by other users on the same site.

Generated by OpenCVE AI on April 20, 2026 at 19:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the AI Engine plugin to the latest version that includes the missing capability check (≥ 2.9.6).
  • Restrict access to the rest_list and delete_files REST endpoints so that only authenticated users with the appropriate capabilities can invoke them, for example by configuring a security plugin or adding custom access rules.
  • If an immediate upgrade is not possible, audit the site's uploaded files, delete any that may have been exposed or corrupted, and restore from backups if available.

Generated by OpenCVE AI on April 20, 2026 at 19:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26645 The AI Engine plugin for WordPress is vulnerable to unauthorized access and loss of data due to a missing capability check on the rest_list and delete_files functions in all versions up to, and including, 2.9.5. This makes it possible for unauthenticated attackers to list and delete files uploaded by other users.
History

Thu, 04 Sep 2025 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 03 Sep 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Sep 2025 20:45:00 +0000

Type Values Removed Values Added
Description The AI Engine plugin for WordPress is vulnerable to unauthorized access and loss of data due to a missing capability check on the rest_list and delete_files functions in all versions up to, and including, 2.9.5. This makes it possible for unauthenticated attackers to list and delete files uploaded by other users.
Title Ai Engine <= 2.9.5 - Missing Authorization to Unauthenticated Uploaded Files Disclosure And Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:19:09.687Z

Reserved: 2025-07-27T14:53:48.378Z

Link: CVE-2025-8268

cve-icon Vulnrichment

Updated: 2025-09-03T20:47:10.761Z

cve-icon NVD

Status : Deferred

Published: 2025-09-03T21:15:33.357

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8268

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:45:15Z

Weaknesses