Description
Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine ai-engine allows Using Malicious Files.This issue affects AI Engine: from n/a through <= 3.3.2.
Published: 2026-03-05
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted File Upload
Action: Immediate Patch
AI Analysis

Impact

The AI Engine plugin suffers from a lack of file type validation, allowing attackers to upload files that the system may handle as executable content. This flaw is classified as CWE‑434, and could let a malicious user place files that the WordPress installation might later execute or expose. Because the server may treat such uploads as downloadable or processor‑ready media, the attacker could potentially gain code execution, unauthorized data access, or disrupt site availability.

Affected Systems

The vulnerability applies to Jordy Meow AI Engine plugin versions up to 3.3.2. Any WordPress site running one of these versions of the plugin is at risk. The flaw exists in all installations regardless of theme or other plugins.

Risk and Exploitability

The rating for this vulnerability is 9.1 out of 10, categorizing it as critical. The exploitation probability is less than 1% according to current risk models, and the issue is not listed in the CISA KEV catalog. The likely attack vector is via the plugin’s upload endpoint, where an attacker can supply a file that bypasses type checks. If successful, such a file could be processed or executed by the web server, making this a high‑impact risk for sites that use the affected plugin.

Generated by OpenCVE AI on April 17, 2026 at 12:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the AI Engine plugin to version 3.3.3 or newer, which removes the uncontrolled file upload functionality.
  • If an upgrade cannot be performed immediately, restrict the upload feature to administrative users only and enforce strict MIME type checking to allow only safe file types.
  • Configure the web server to serve uploaded files as static content and disable execution in the upload directory, preventing any embedded code from running.

Generated by OpenCVE AI on April 17, 2026 at 12:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Jordy Meow
Jordy Meow ai-engine
Wordpress
Wordpress wordpress
Vendors & Products Jordy Meow
Jordy Meow ai-engine
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine ai-engine allows Using Malicious Files.This issue affects AI Engine: from n/a through <= 3.3.2.
Title WordPress AI Engine plugin <= 3.3.2 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References

Subscriptions

Jordy Meow Ai-engine
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:04.880Z

Reserved: 2026-01-16T14:15:17.504Z

Link: CVE-2026-23802

cve-icon Vulnrichment

Updated: 2026-03-09T19:33:06.316Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:22.763

Modified: 2026-03-09T20:16:06.950

Link: CVE-2026-23802

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:00:12Z

Weaknesses