CVE-2026-1400
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Description
The AI Engine - The Chatbot and AI Framework for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the `rest_helpers_update_media_metadata` function in all versions up to, and including, 3.3.2. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The attacker can upload a benign image file, then use the `update_media_metadata` endpoint to rename it to a PHP file, creating an executable PHP file in the uploads directory.
Analysis
Arbitrary file upload in AI Engine WordPress plugin versions up to 3.3.2 allows authenticated Editor-level users to bypass file type validation and execute remote code by uploading files through the `update_media_metadata` REST endpoint. An attacker can upload a benign image file and then rename it to PHP, placing executable code in the web-accessible uploads directory. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit user accounts with Editor-level access and disable unnecessary accounts; document current plugin version across all WordPress instances. Within 7 days: Disable the AI Engine plugin entirely until patch availability or implement strict file upload restrictions; review server access logs for suspicious uploads. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today