CVE-2024-13882
📋 TL;DR
The Aiomatic WordPress plugin allows authenticated attackers with Contributor-level access or higher to upload arbitrary files due to missing file type validation. This vulnerability can lead to remote code execution on affected WordPress sites. All versions up to and including 2.3.8 are vulnerable.
💻 Affected Systems
- Aiomatic - Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit WordPress plugin
📦 What is this software?
Aiomatic by Coderevolution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through remote code execution, allowing attackers to install malware, steal data, or use the server for further attacks.
Likely Case
Attackers upload web shells or malicious scripts to gain persistent access, deface websites, or deploy cryptocurrency miners.
If Mitigated
If proper file upload restrictions and web application firewalls are in place, exploitation attempts would be blocked or detected.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained. Attackers could use stolen or compromised contributor accounts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.3.9 or later
Vendor Advisory: https://coderevolution.ro/knowledge-base/faq/full-changelog-aiomatic-automatic-ai-content-writer-editor-gpt-3-gpt-4-chatgpt-chatbot-ai-toolkit/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Aiomatic plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 2.3.9+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable plugin
allTemporarily deactivate the Aiomatic plugin until patched
Restrict file uploads via .htaccess
linuxBlock execution of uploaded files in uploads directory
<FilesMatch "\.(php|php5|php7|phtml|phar)$">
Order Allow,Deny
Deny from all
</FilesMatch>
🧯 If You Can't Patch
- Remove Contributor role from untrusted users and implement strict user access controls
- Implement web application firewall rules to block suspicious file uploads
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for Aiomatic version. If version is 2.3.8 or lower, system is vulnerable.Check Version:
wp plugin list --name=aiomatic --field=versionVerify Fix Applied:
After updating, verify Aiomatic plugin version shows 2.3.9 or higher in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to /wp-content/uploads/aiomatic/ directory
- POST requests to /wp-admin/admin-ajax.php with action=aiomatic_generate_featured_image
- Execution of PHP files from uploads directory
Network Indicators:
- HTTP POST requests with file uploads to WordPress admin endpoints from unexpected sources
SIEM Query:
source="wordpress.log" AND ("aiomatic_generate_featured_image" OR "/wp-content/uploads/aiomatic/") AND ("php" OR "phtml" OR "phar")