Question 1

What is the AI Engine plugin for WordPress?

Accepted Answer

What is the AI Engine plugin for WordPress?

The AI Engine plugin enables advanced AI capabilities and tools like chatbots, generators, and assistants for WordPress sites. With over 50,000 active installs, it is a popular way for sites to implement cutting-edge AI. It offers features like GPT-powered chat and content, analytics, Zapier integration, and custom responses.

Question 2

What is the vulnerability in AI Engine?

Accepted Answer

What is the vulnerability in AI Engine?

Versions up to and including 2.1.4 of AI Engine contain an arbitrary file upload vulnerability due to flawed file validation in the add_image_from_url function. This allows attackers with editor access or higher to upload any file of their choice, including malicious scripts, directly to the server hosting the WordPress site.

Question 3

Who is affected by the vulnerability?

Accepted Answer

Who is affected by the vulnerability?

Any WordPress site using a vulnerable version of AI Engine, meaning 2.1.4 or lower, is affected. With over 1.7 million downloads to date, a huge number of sites have likely implemented the plugin and may be exposed without realizing it.

Question 4

What can happen if a WordPress site is compromised via this vulnerability?

Accepted Answer

What can happen if a WordPress site is compromised via this vulnerability?

With the ability to upload scripts at will, an attacker can gain keys to the kingdom over a WordPress install. This allows them to steal confidential data, delete databases or backups, move laterally in servers, distribute malware, ransom site data, use the site for attacks, and cause a variety of other malicious impacts.

Question 5

What is the severity level of this vulnerability?

Accepted Answer

What is the severity level of this vulnerability?

The AI Engine flaw has a CVSS base score of 6.6 out of 10, making it MEDIUM severity. While critical vulnerabilities are more severe, a score of 6.6 is still cause for serious and immediate concern requiring patching for all site owners.

Question 6

How can I tell if my WordPress site is vulnerable?

Accepted Answer

How can I tell if my WordPress site is vulnerable?

Check if you have the AI Engine plugin installed and activated. If so, visit the plugin page and check your version number. Any version at or below 2.1.4 indicates a vulnerable plugin that can be exploited by attackers to compromise your site.

Question 7

How do I update the AI Engine plugin to patch this vulnerability?

Accepted Answer

How do I update the AI Engine plugin to patch this vulnerability?

Navigate to Plugins > Installed Plugins within your WordPress dashboard. Find AI Engine and click Update if an update is available or use the Upload Plugin feature to manually install version 2.1.5 or higher downloaded from the developer’s site.

Question 8

Are any other WordPress plugins affected?

Accepted Answer

Are any other WordPress plugins affected?

At this time, the arbitrary file upload vulnerability affects only the AI Engine plugin specifically. However, vulnerabilities are frequently uncovered across popular WordPress plugins. Staying vigilant is key to securing any plugins you use to avoid threats like this.

Question 9

What else can I do to secure my WordPress site?

Accepted Answer

What else can I do to secure my WordPress site?

In addition to timely plugin updates, we recommend server-side website security scanning, malware detection, file integrity monitoring, DDoS protection, auto-backups, a web application firewall, limiting admin accounts, strong passwords, and other proactive measures against cyber threats.

Question 10

Who can help me evaluate and enhance my WordPress website security?

Accepted Answer

Who can help me evaluate and enhance my WordPress website security?

Our team specializes in WordPress security for small businesses who lack robust IT resources. We offer assessments to spot vulnerabilities, remediation to address risks, ongoing monitoring and response capabilities, customized hardening solutions, and education for long-term defense. Contact us for more details!

AI Engine Vulnerability – Authenticated(Editor+) Arbitrary File Upload via add_image_from_url – CVE-2024-0699 | WordPress Plugin Vulnerability Report

Amelia Booking Vulnerability – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode – CVE-2023-6808 | WordPress Plugin Vulnerability Report

Contact Form Plugin – Authenticated(Administrator+) Stored Cross-Site Scripting via imported form title – CVE-2024-0618 | WordPress Plugin Vulnerability Report

Getwid – Gutenberg Blocks – Missing Authorization & Captcha Bypass – CVE-2023-6959 & CVE-2023-6963 | WordPress Plugin Vulnerability Report

Essential Addons for Elementor Vulnerabilities- Authenticated Stored Cross-Site Scripting – CVE-2024-0586 & CVE-2024-0585 | WordPress Plugin Vulnerability Report

WP Recipe Maker Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via header_tag – CVE-2024-0382 | WordPress Plugin Vulnerability Report

Advanced Custom Fields (ACF) – Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field – CVE-2023-6701 | WordPress Plugin Vulnerability Report

Burst Statistics Vulnerability – Authenticated (Editor+) SQL Injection – CVE-2024-0405 | WordPress Plugin Vulnerability Report

User Profile Builder Vulnerability – Missing Authorization to Plugin Settings Change via wppb_two_factor_authentication_settings_update – CVE-2024-0324 | WordPress Plugin Vulnerability Report

Orbit Fox by ThemeIsle Vulnerability – Authenticated Stored Cross-site Scripting via Pricing Table Elementor Widget – CVE-2024-0508 | WordPress Plugin Vulnerability Report

Recent Blog Posts

Image Optimization by Optimole Vulnerability – Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload – CVE-2024-4636 | WordPress Plugin Vulnerability Report

Order Export & Order Import for WooCommerce Vulnerability – Authenticated (Administrator+) PHP Object Injection – CVE-2024-34751 | WordPress Plugin Vulnerability Report

Password Protected Vulnerability – Missing Authorization to Sensitive Information Exposure – CVE-2024-0437 | WordPress Plugin Vulnerability Report

Additional Resources

About Your WP Guy