Security Vulnerability in AI Engine WordPress Plugin

The AI Engine WordPress plugin, installed on over 100,000 websites, has been issued a security advisory due to a vulnerability that enables attackers with subscriber-level authentication to upload malicious files when the REST API is enabled. This is the fourth vulnerability discovered in the plugin this month and the fifth in 2025.

Background on AI Engine Plugin Vulnerabilities

In 2024, nine vulnerabilities were discovered in the AI Engine plugin, including two that were particularly severe, with ratings of 9.8 and 9.1. These vulnerabilities allowed unauthenticated attackers and those with arbitrary uploads to exploit the plugin. The latest vulnerability, although not as severe, still poses a significant threat to websites using the plugin.

Details of the Latest Vulnerability

The latest vulnerability is rated 8.8 and enables authenticated file uploads. This means that an attacker with subscriber-level authentication can upload malicious files to a website when the REST API is enabled. The vulnerability is due to missing file type validation in a function related to the REST API in versions 2.9.3 and 2.9.4 of the plugin.

What is File Type Validation?

File type validation is a security measure used in WordPress to ensure that the content of a file matches the type of file being uploaded. This helps prevent malicious files from being uploaded to a website. In the case of the AI Engine plugin, the lack of file type validation allows attackers to upload arbitrary files, which could lead to remote code execution.

Impact and Recommendations

According to Wordfence, a security firm that discovered the vulnerability, "This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site’s server when the REST API is enabled, which may make remote code execution possible." To protect against this vulnerability, users of the AI Engine plugin are recommended to update their plugin to the latest version, 2.9.5, or a newer version.

Updates and Fixes

The plugin changelog for version 2.9.5 notes that the update resolves a security issue related to SSRF by validating URL schemes in audio transcription and sanitizing REST API parameters to prevent API key misuse. Additionally, the update corrects a critical security vulnerability that allowed unauthorized file uploads by adding strict file type validation to prevent PHP execution.

Conclusion

The discovery of the latest vulnerability in the AI Engine WordPress plugin highlights the importance of keeping plugins up to date and ensuring that security measures are in place to prevent exploits. By updating to the latest version of the plugin, users can protect their websites against this vulnerability and prevent potential attacks. It is essential for website owners to prioritize security and take proactive steps to protect their online presence.