Skip to main content

Ai Engine

16 CVEs product

Monthly

CVE-2026-12511 HIGH POC PATCH This Week

Arbitrary file write in the AI Engine WordPress plugin before 3.5.5 lets authenticated editor-level users abuse an unsanitized, user-supplied filename during a file-download-and-save operation to plant attacker-controlled bytes anywhere the web server user can write via path traversal. Because writing a PHP payload into the webroot typically yields remote code execution, this crosses from a content-management flaw into full site compromise. Publicly available exploit code exists and a vendor patch has shipped, though the issue is not listed in CISA KEV.

Path Traversal WordPress Ai Engine
NVD WPScan
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27407 HIGH This Week

Privilege escalation in the AI Engine WordPress plugin (Meow Apps) through version 3.4.9 allows authenticated users with Editor-level access to elevate their privileges to Administrator. CVSS rates this 7.2 (High) given high privileges required but full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.

Privilege Escalation Ai Engine
NVD
CVSS 3.1
7.2
EPSS
0.5%
CVE-2025-5570 MEDIUM This Month

The AI Engine plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the mwai_chatbot shortcode 'id' parameter in all versions up to, and including, 2.8.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS Ai Engine PHP
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-6238 HIGH PATCH This Week

The AI Engine plugin for WordPress is vulnerable to open redirect in version 2.8.4. This is due to an insecure OAuth implementation, as the 'redirect_uri' parameter is missing validation during the authorization flow. This makes it possible for unauthenticated attackers to intercept the authorization code and obtain an access token by redirecting the user to an attacker-controlled URI. Note: OAuth is disabled, the 'Meow_MWAI_Labs_OAuth' class is not loaded in the plugin in the patched version 2.8.5.

WordPress Open Redirect Ai Engine PHP
NVD
CVSS 3.1
8.0
EPSS
0.1%
CVE-2025-5071 HIGH PATCH This Week

The AI Engine WordPress plugin (versions 2.8.0-2.8.3) contains a missing capability check in the 'Meow_MWAI_Labs_MCP::can_access_mcp' function, allowing authenticated subscribers and above to access the Model Context Protocol (MCP) interface and execute arbitrary WordPress administrative commands. This enables privilege escalation, unauthorized user creation/modification, and data destruction through post and comment manipulation. The vulnerability has a CVSS score of 8.8 (High) and poses immediate risk to any WordPress installation running affected versions with user registration enabled.

WordPress Privilege Escalation PHP Ai Engine
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2024-10499 HIGH POC This Week

The AI Engine WordPress plugin before 2.6.5 does not sanitize and escape a parameter from one of its RESP API endpoint before using it in a SQL statement, allowing admins to perform SQL injection. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress Ai Engine
NVD WPScan
CVSS 3.1
7.2
EPSS
0.6%
CVE-2024-6723 MEDIUM POC This Month

The AI Engine WordPress plugin before 2.4.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin users when viewing. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress Ai Engine
NVD WPScan
CVSS 3.1
4.7
EPSS
0.4%
CVE-2024-6451 HIGH POC This Week

AI Engine < 2.4.3 is susceptible to remote-code-execution (RCE) via Log Poisoning. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Information Disclosure PHP Ai Engine
NVD WPScan
CVSS 3.1
7.2
EPSS
0.8%
CVE-2024-38791 HIGH This Week

Server-Side Request Forgery (SSRF) vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot allows Server Side Request Forgery.4.7. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Ai Engine
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2024-34440 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot.2.63. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload Ai Engine
NVD
CVSS 3.1
9.1
EPSS
0.7%
CVE-2023-51409 CRITICAL POC THREAT Emergency

Unrestricted file upload in Jordy Meow's AI Engine: ChatGPT Chatbot plugin for WordPress (versions up to and including 1.9.98) allows remote attackers to upload arbitrary files of dangerous types, including executable PHP scripts, leading to remote code execution on the underlying web server. With a maximum CVSS score of 10.0, an EPSS score of 92.78% (100th percentile), and publicly available exploit code, this represents an extreme-priority issue for any WordPress site running the plugin.

File Upload Ai Engine
NVD GitHub
CVSS 3.1
10.0
EPSS
92.8%
Threat
6.3
CVE-2024-29100 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot.1.4. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload Ai Engine
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2024-29090 MEDIUM POC This Month

Server-Side Request Forgery (SSRF) vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot.1.4. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Ai Engine
NVD
CVSS 3.1
6.8
EPSS
0.9%
CVE-2024-0378 MEDIUM PATCH This Month

The AI Engine: Chatbots, Generators, Assistants, GPT 4 and more!. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress Ai Engine
NVD
CVSS 3.1
6.5
EPSS
6.2%
CVE-2024-0699 MEDIUM PATCH This Month

The AI Engine: Chatbots, Generators, Assistants, GPT 4 and more!. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

File Upload RCE WordPress Ai Engine
NVD VulDB
CVSS 3.1
6.6
EPSS
7.1%
CVE-2023-2580 MEDIUM POC This Month

The AI Engine WordPress plugin before 1.6.83 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Ai Engine
NVD WPScan
CVSS 3.1
4.8
EPSS
0.5%
EPSS 0% CVSS 8.1
HIGH POC PATCH This Week

Arbitrary file write in the AI Engine WordPress plugin before 3.5.5 lets authenticated editor-level users abuse an unsanitized, user-supplied filename during a file-download-and-save operation to plant attacker-controlled bytes anywhere the web server user can write via path traversal. Because writing a PHP payload into the webroot typically yields remote code execution, this crosses from a content-management flaw into full site compromise. Publicly available exploit code exists and a vendor patch has shipped, though the issue is not listed in CISA KEV.

Path Traversal WordPress Ai Engine
NVD WPScan
EPSS 1% CVSS 7.2
HIGH This Week

Privilege escalation in the AI Engine WordPress plugin (Meow Apps) through version 3.4.9 allows authenticated users with Editor-level access to elevate their privileges to Administrator. CVSS rates this 7.2 (High) given high privileges required but full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.

Privilege Escalation Ai Engine
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

The AI Engine plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the mwai_chatbot shortcode 'id' parameter in all versions up to, and including, 2.8.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS Ai Engine +1
NVD
EPSS 0% CVSS 8.0
HIGH PATCH This Week

The AI Engine plugin for WordPress is vulnerable to open redirect in version 2.8.4. This is due to an insecure OAuth implementation, as the 'redirect_uri' parameter is missing validation during the authorization flow. This makes it possible for unauthenticated attackers to intercept the authorization code and obtain an access token by redirecting the user to an attacker-controlled URI. Note: OAuth is disabled, the 'Meow_MWAI_Labs_OAuth' class is not loaded in the plugin in the patched version 2.8.5.

WordPress Open Redirect Ai Engine +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

The AI Engine WordPress plugin (versions 2.8.0-2.8.3) contains a missing capability check in the 'Meow_MWAI_Labs_MCP::can_access_mcp' function, allowing authenticated subscribers and above to access the Model Context Protocol (MCP) interface and execute arbitrary WordPress administrative commands. This enables privilege escalation, unauthorized user creation/modification, and data destruction through post and comment manipulation. The vulnerability has a CVSS score of 8.8 (High) and poses immediate risk to any WordPress installation running affected versions with user registration enabled.

WordPress Privilege Escalation PHP +1
NVD
EPSS 1% CVSS 7.2
HIGH POC This Week

The AI Engine WordPress plugin before 2.6.5 does not sanitize and escape a parameter from one of its RESP API endpoint before using it in a SQL statement, allowing admins to perform SQL injection. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress Ai Engine
NVD WPScan
EPSS 0% CVSS 4.7
MEDIUM POC This Month

The AI Engine WordPress plugin before 2.4.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin users when viewing. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress Ai Engine
NVD WPScan
EPSS 1% CVSS 7.2
HIGH POC This Week

AI Engine < 2.4.3 is susceptible to remote-code-execution (RCE) via Log Poisoning. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Information Disclosure PHP +1
NVD WPScan
EPSS 0% CVSS 7.1
HIGH This Week

Server-Side Request Forgery (SSRF) vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot allows Server Side Request Forgery.4.7. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Ai Engine
NVD
EPSS 1% CVSS 9.1
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot.2.63. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload Ai Engine
NVD
EPSS 93% 6.3 CVSS 10.0
CRITICAL POC THREAT Emergency

Unrestricted file upload in Jordy Meow's AI Engine: ChatGPT Chatbot plugin for WordPress (versions up to and including 1.9.98) allows remote attackers to upload arbitrary files of dangerous types, including executable PHP scripts, leading to remote code execution on the underlying web server. With a maximum CVSS score of 10.0, an EPSS score of 92.78% (100th percentile), and publicly available exploit code, this represents an extreme-priority issue for any WordPress site running the plugin.

File Upload Ai Engine
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot.1.4. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload Ai Engine
NVD
EPSS 1% CVSS 6.8
MEDIUM POC This Month

Server-Side Request Forgery (SSRF) vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot.1.4. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Ai Engine
NVD
EPSS 6% CVSS 6.5
MEDIUM PATCH This Month

The AI Engine: Chatbots, Generators, Assistants, GPT 4 and more!. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress Ai Engine
NVD
EPSS 7% CVSS 6.6
MEDIUM PATCH This Month

The AI Engine: Chatbots, Generators, Assistants, GPT 4 and more!. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

File Upload RCE WordPress +1
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM POC This Month

The AI Engine WordPress plugin before 1.6.83 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Ai Engine
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy