Description
The AI Engine – The Chatbot and AI Framework for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the `rest_helpers_update_media_metadata` function in all versions up to, and including, 3.3.2. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The attacker can upload a benign image file, then use the `update_media_metadata` endpoint to rename it to a PHP file, creating an executable PHP file in the uploads directory.
Published: 2026-01-28
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The AI Engine plugin for WordPress is vulnerable to arbitrary file uploads because the rest_helpers_update_media_metadata function lacks proper file type checks. Authenticated users with Editor-level permissions can upload any file, then rename it to a PHP script via the same endpoint, creating an executable file in the site’s uploads directory and enabling remote code execution.

Affected Systems

The vulnerability affects all releases of the AI Engine – The Chatbot, AI Framework & MCP for WordPress plugin up to and including version 3.3.2. The affected plugin is installed on WordPress sites that have this plugin active.

Risk and Exploitability

The CVSS score of 7.2 indicates high severity, but the EPSS score is less than 1% and the issue is not listed in CISA’s KEV catalog, suggesting a low likelihood of widespread exploitation currently. The attacker must first authenticate with at least Editor privileges and then interact with the update_media_metadata REST endpoint to upload and rename a file. Because the endpoint is remote, the attack vector is over the network, though user credentials are required, making it a moderately complex exploit.

Generated by OpenCVE AI on April 15, 2026 at 17:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the AI Engine plugin to the latest patched version (>=3.3.3) or any version that includes the file type validation fix.
  • If upgrading immediately is not possible, restrict Editor and higher user roles from accessing the update_media_metadata endpoint, or remove media upload capability for those roles.
  • Implement server‑side validation to allow only image MIME types in the uploads directory, rejecting all other uploads.
  • As a temporary mitigation, configure the web server to deny execution of files in the wp-content/uploads directory or move uploaded files to a non‑executable location.

Generated by OpenCVE AI on April 15, 2026 at 17:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 29 Jan 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Tigroumeow
Tigroumeow ai Engine – The Chatbot And Ai Framework For Wordpress
Wordpress
Wordpress wordpress
Vendors & Products Tigroumeow
Tigroumeow ai Engine – The Chatbot And Ai Framework For Wordpress
Wordpress
Wordpress wordpress

Wed, 28 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
Description The AI Engine – The Chatbot and AI Framework for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the `rest_helpers_update_media_metadata` function in all versions up to, and including, 3.3.2. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The attacker can upload a benign image file, then use the `update_media_metadata` endpoint to rename it to a PHP file, creating an executable PHP file in the uploads directory.
Title AI Engine <= 3.3.2 - Authenticated (Editor+) Arbitrary File Upload via 'filename' Parameter in update_media_metadata Endpoint
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Tigroumeow Ai Engine – The Chatbot And Ai Framework For Wordpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:25:58.973Z

Reserved: 2026-01-23T21:44:13.311Z

Link: CVE-2026-1400

cve-icon Vulnrichment

Updated: 2026-01-28T16:06:53.852Z

cve-icon NVD

Status : Deferred

Published: 2026-01-28T09:15:49.320

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1400

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:00:15Z

Weaknesses