CVE-2024-13361
📋 TL;DR
The AI Power WordPress plugin has an authorization vulnerability that allows authenticated users with Subscriber-level access or higher to upload image files containing malicious shortcode attributes. These attributes execute when the image attachment page is accessed via POST request, potentially leading to arbitrary code execution. All WordPress sites using AI Power: Complete AI Pack plugin versions up to 1.8.96 are affected.
💻 Affected Systems
- AI Power: Complete AI Pack WordPress Plugin
📦 What is this software?
Aipower by Aipower
⚠️ Risk & Real-World Impact
Worst Case
Attackers could execute arbitrary code on the server, potentially gaining full control of the WordPress installation and underlying server, leading to data theft, defacement, or ransomware deployment.
Likely Case
Authenticated attackers upload malicious images that execute shortcode payloads when viewed, potentially creating backdoors, stealing session cookies, or redirecting users to malicious sites.
If Mitigated
With proper access controls and input validation, the impact is limited to unauthorized image uploads without code execution capability.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained. The vulnerability is publicly documented with technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.97 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3224162/gpt3-ai-content-generator/trunk/classes/wpaicg_image.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'AI Power: Complete AI Pack'
4. Click 'Update Now' if update is available
5. Alternatively, download version 1.8.97+ from WordPress repository
6. Deactivate old version, upload new version, activate
🔧 Temporary Workarounds
Disable Plugin
allTemporarily deactivate the vulnerable plugin until patched
wp plugin deactivate gpt3-ai-content-generator
Restrict User Registration
allDisable new user registration to prevent attackers from obtaining Subscriber accounts
Settings → General → Membership: Uncheck 'Anyone can register'
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block POST requests to attachment pages containing suspicious shortcode patterns
- Restrict file upload permissions and implement strict input validation for image_alt fields
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → AI Power: Complete AI Pack → Version. If version is 1.8.96 or lower, you are vulnerable.Check Version:
wp plugin get gpt3-ai-content-generator --field=versionVerify Fix Applied:
Verify plugin version is 1.8.97 or higher. Test that Subscriber users cannot upload images with executable shortcode attributes.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action=wpaicg_save_image_media
- Multiple image uploads from Subscriber-level accounts
- Shortcode execution in media attachment logs
Network Indicators:
- POST requests to attachment pages with encoded payloads in parameters
- Unusual outbound connections following image uploads
SIEM Query:
source="wordpress.log" AND ("wpaicg_save_image_media" OR "image_alt" AND "shortcode")