Skip to main content

Aiomatic CVE-2025-6206

| EUVDEUVD-2025-28702 HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2025-06-24 security@wordfence.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 15, 2026 - 22:36 euvd
EUVD-2025-28702
Analysis Generated
Mar 15, 2026 - 22:36 vuln.today
CVE Published
Jun 24, 2025 - 09:15 nvd
HIGH 7.5

DescriptionCVE.org

The Aiomatic - Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'aiomatic_image_editor_ajax_submit' function in all versions up to, and including, 2.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. In order to exploit the vulnerability, there must be a value entered for the Stability.AI API key. The value can be arbitrary.

AnalysisAI

The Aiomatic WordPress plugin (versions ≤2.5.0) contains an arbitrary file upload vulnerability in the 'aiomatic_image_editor_ajax_submit' AJAX function due to missing file type validation, allowing authenticated Subscriber-level users to upload malicious files and potentially achieve remote code execution. Exploitation requires a valid (though arbitrary) Stability.AI API key to be configured. This is a high-impact vulnerability affecting WordPress sites using this plugin, with CVSS 7.5 reflecting the combination of high confidentiality/integrity/authentication bypass risk despite high attack complexity.

Technical ContextAI

The vulnerability exists in the Aiomatic plugin's AJAX handler 'aiomatic_image_editor_ajax_submit', which processes file uploads without proper MIME type, extension, or content validation. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), a classic file upload vulnerability where user-supplied files bypass security controls. The plugin relies on Stability.AI API integration for image editing operations; the arbitrary API key requirement suggests the validation logic incorrectly trusts any non-empty API key value without cryptographic verification. This allows attackers to bypass intended access controls by providing dummy API key values. The vulnerable code path processes file uploads through standard WordPress AJAX mechanisms (wp_ajax hook), making it accessible to any authenticated user at subscriber level or above, irrespective of capabilities typically restricted to administrators.

RemediationAI

Immediate actions: (1) Identify patch version—update Aiomatic plugin to version 2.5.1 or later once released (monitor wordpress.org/plugins/aiomatic for security updates). (2) If patch unavailable, implement workaround: restrict AJAX endpoint 'aiomatic_image_editor_ajax_submit' via WordPress hooks or Web Application Firewall rules to administrators only using capability-based access control (current_user_can('manage_options')). (3) For defense-in-depth: disable Stability.AI API key if unused; audit file upload directories for suspicious files; implement file type whitelisting at web server level (nginx/Apache configuration). (4) Monitor active user sessions for Subscriber+ accounts with suspicious activity post-discovery. (5) Consider using security plugins (e.g., Wordfence, iThemes Security) with file upload monitoring and YARA rules for malicious PHP uploads. Vendor advisory should be checked at wordpress.org plugin security advisories or Aiomatic's official changelog.

Share

CVE-2025-6206 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy