AI Engine Vulnerability – Authenticated (Editor+) Arbitrary File Upload – CVE-2024-34440 | WordPress Plugin Vulnerability Report

Plugin Name: AI Engine

Key Information:

  • Software Type: Plugin
  • Software Slug: ai-engine
  • Software Status: Active
  • Software Author: tigroumeow
  • Software Downloads: 2,383,435
  • Active Installs: 70,000
  • Last Updated: May 7, 2024
  • Patched Versions: 2.2.70
  • Affected Versions: <= 2.2.63

Vulnerability Details:

  • Name: AI Engine: ChatGPT Chatbot <= 2.2.63 - Authenticated (Editor+) Arbitrary File Upload
  • Type: Unrestricted Upload of File with Dangerous Type
  • CVE: CVE-2024-34440
  • CVSS Score: 9.1 (Critical)
  • Publicly Published: May 7, 2024
  • Researcher: stealthcopter
  • Description: The AI Engine plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.2.63. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Summary:

The AI Engine plugin for WordPress has a vulnerability in versions up to and including 2.2.63 that allows authenticated attackers with Editor-level access and above to upload arbitrary files due to missing file type validation. This vulnerability has been patched in version 2.2.70.

Detailed Overview:

The vulnerability was discovered by security researcher stealthcopter and publicly disclosed on May 7, 2024. It affects all versions of the AI Engine plugin up to and including 2.2.63. The vulnerability stems from a lack of proper file type validation when handling file uploads, allowing attackers with Editor-level access or higher to upload malicious files to the server. This could potentially lead to remote code execution on the affected website.

Advice for Users:

  1. Immediate Action: Update the AI Engine plugin to version 2.2.70 or later to address the vulnerability.
  2. Check for Signs of Vulnerability: Review your website for any suspicious or unauthorized file uploads, especially in the plugin's directory.
  3. Alternate Plugins: While a patch is available, users might still consider plugins that offer similar functionality as a precaution.
  4. Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.

The prompt response from the AI Engine plugin developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 2.2.70 or later to secure their WordPress installations.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/ai-engine

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/ai-engine/ai-engine-chatgpt-chatbot-2263-authenticated-editor-arbitrary-file-upload

Detailed Report:

In the ever-evolving digital landscape, website security remains a top priority for website owners and administrators. As new threats emerge and vulnerabilities are discovered, it is crucial to stay vigilant and proactive in maintaining the integrity of your online presence. Today, we bring to light a recently discovered vulnerability in the AI Engine plugin for WordPress, which underscores the significance of regular updates and the potential risks associated with outdated software.

Plugin Details:

The AI Engine plugin is a popular choice for integrating ChatGPT functionality into WordPress websites. It has been actively maintained by its author, tigroumeow, and has amassed over 2.3 million downloads with approximately 70,000 active installations. The plugin's latest version, 2.2.70, was released on May 7, 2024, addressing a critical vulnerability present in previous versions.

Vulnerability Details:

The vulnerability, identified as CVE-2024-34440, allows authenticated attackers with Editor-level access and above to upload arbitrary files to the affected website's server due to missing file type validation. This vulnerability has been assigned a CVSS score of 9.1, indicating its critical severity. The issue was discovered by security researcher stealthcopter and publicly disclosed on May 7, 2024.

Risks and Potential Impacts:

The arbitrary file upload vulnerability in the AI Engine plugin poses significant risks to affected websites. Attackers with Editor-level access or higher could exploit this vulnerability to upload malicious files, potentially leading to remote code execution on the compromised server. This could result in complete takeover of the website, theft of sensitive data, or the site being used to distribute malware to its visitors.

Remediation Steps:

To address this vulnerability, website owners using the AI Engine plugin should take immediate action by updating the plugin to version 2.2.70 or later. It is also recommended to review the website for any suspicious or unauthorized file uploads, particularly in the plugin's directory. As a precautionary measure, website owners may consider using alternative plugins that offer similar functionality until the patch has been thoroughly tested.

Previous Vulnerabilities:

It is worth noting that the AI Engine plugin has had a history of vulnerabilities. Since May 2023, five other vulnerabilities have been reported and addressed by the plugin's developer. This underscores the importance of regularly monitoring and updating the plugin to ensure the website's security.

Conclusion:

The discovery of the arbitrary file upload vulnerability in the AI Engine plugin serves as a stark reminder of the critical importance of staying on top of security vulnerabilities. As a small business owner with a WordPress website, it can be challenging to find the time and resources to consistently monitor and address such issues. However, neglecting website security can have devastating consequences, potentially leading to financial losses, reputational damage, and loss of customer trust.

To minimize the risk of falling victim to security vulnerabilities, it is essential to prioritize regular plugin and theme updates, as well as core WordPress updates. Subscribing to security newsletters, following reputable WordPress security blogs, and considering the use of website security monitoring services can help stay informed about the latest threats and vulnerabilities.

If you are concerned about the security of your website or lack the technical expertise to handle such issues, don't hesitate to seek professional assistance. Many WordPress security experts and agencies offer services tailored to small businesses, ensuring that your website remains protected while allowing you to focus on running your business.

Remember, investing in website security is not just about protecting your online presence; it's about safeguarding your business, your customers, and your reputation in an increasingly digital world.

As a business owner, you don't have time to constantly monitor for WordPress vulnerabilities like this. At Your WP Guy, we become your outsourced IT team to handle security, updates, maintenance and support. Let us fully audit your site and plugins to assess any impact from this issue. We'll update everything to patched versions so you can rest easy knowing your site is locked down.

Focus on your business goals while we focus on your WordPress site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 for a free consultation on securing your online presence.

AI Engine Vulnerability – Authenticated (Editor+) Arbitrary File Upload – CVE-2024-34440 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment