AI Engine Vulnerability – Authenticated(Editor+) Arbitrary File Upload via add_image_from_url – CVE-2024-0699 | WordPress Plugin Vulnerability Report
Plugin Name: AI Engine
Key Information:
- Software Type: Plugin
- Software Slug: ai-engine
- Software Status: Active
- Software Author: tigroumeow
- Software Downloads: 1,716,148
- Active Installs: 50,000
- Last Updated: January 18, 2024
- Patched Versions: 2.1.5
- Affected Versions: <= 2.1.4
Vulnerability Details:
- Name: AI Engine <= 2.1.4 - Authenticated(Editor+) Arbitrary File Upload via add_image_from_url
- Title: Authenticated(Editor+) Arbitrary File Upload via add_image_from_url
- Type: Unrestricted Upload of File with Dangerous Type
- CVE: CVE-2024-0699
- CVSS Score: 6.6 (Medium)
- Publicly Published: January 18, 2024
- Researcher: rootxsudip
- Description: The AI Engine: Chatbots, Generators, Assistants, GPT 4 and more! plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'add_image_from_url' function in all versions up to, and including, 2.1.4. This makes it possible for authenticated attackers, with Editor access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Summary:
The AI Engine for WordPress plugin has a vulnerability in versions up to and including 2.1.4 that allows authenticated users with Editor+ access to upload arbitrary files, possibly enabling remote code execution. This vulnerability has been patched in version 2.1.5.
Detailed Overview:
Researcher rootxsudip discovered a vulnerability in the add_image_from_url function of the AI Engine plugin that allows Editor+ users to upload files of any type without restriction. This could enable malicious users to upload and execute scripts on vulnerable WordPress sites. The issue affects all versions up to and including 2.1.4 and has been addressed in version 2.1.5, which properly restricts file uploads. Sites using vulnerable AI Engine versions are exposed to unauthorized access, data loss, defacement, and other threats if exploited. Users should update immediately to patch this vulnerability.
Advice for Users:
- Immediate Action: Update to version 2.1.5 or higher to patch this vulnerability.
- Check for Signs of Vulnerability: Review your file manager for unexpected files that may indicate exploitation.
- Alternate Plugins: Consider alternatives like Ultimate AI Chatbot or Interactor while this vulnerability is addressed.
- Stay Updated: Ensure plugins are kept updated and review changelogs for security fixes.
Conclusion:
The prompt update from AI Engine to address this serious vulnerability shows the plugin’s commitment to user security. Sites using AI Engine should immediately patch to version 2.1.5 or higher. Staying updated is key to securing WordPress installs against emerging threats.
References:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/ai-engine
Detailed Report:
Staying on top of website security is crucial to prevent issues like the recently discovered vulnerability in the popular AI Engine WordPress plugin. This plugin powers chatbots, AI assistants, and more for over 50,000 active sites, so this vulnerability puts many websites at risk. In this post we’ll cover the details and how to protect your site.
The AI Engine plugin, developed by tigroumeow, has over 1.7 million downloads making it a widely-used tool. Unfortunately, versions up to and including 2.1.4 contain a flaw allowing editor-level users and up to upload arbitrary malicious files to the server. This creates significant security risks, potentially allowing attackers to upload malware and scripts opening up remote code execution vulnerabilities.
Specifically, the add_image_from_url function does not properly restrict file uploads by type. Researchers discovered that attackers can leverage this to upload any file type, including dangerous PHP scripts. With over 1.7 million sites potentially vulnerable, this is a serious issue that site owners need to address immediately.
If exploited, this vulnerability can lead to a complete site takeover, data theft, malware infections, defacements, fraudulent activity, and more. Researchers rate it a 6.6 out of 10 on the CVSS scale for severity. All AI Engine users should update to version 2.1.5 as soon as possible to patch this vulnerability.
To protect your website, follow these steps:
- Update the AI Engine Plugin to version 2.1.5 immediately
- Scan your file manager for unexpected scripts or files that may indicate exploitation
- Consider alternatives like Ultimate AI Chatbot or Interactor while this is addressed
- Ensure all plugins stay updated and review changelogs for security fixes
Staying on top of vulnerabilities like this is crucial but can be difficult for small business owners without dedicated tech teams. Partnering with a managed service provider can help ensure your site stays secure against emerging threats. Security should be baked into business operations today as attacks grow in frequency and impact each year. We recommend being proactive to lock down vulnerabilities rather than waiting until your site is compromised.
Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.
Let us fully audit your site to check for any signs of this vulnerability or other issues. We'll immediately update any out-of-date plugins and harden your site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.