CVE-2024-29100 – This vulnerability allows attackers to upload a... (How to Fix)

Q: What is the severity of CVE-2024-29100?

CVE-2024-29100 has a CVSS score of 9.1 (CRITICAL). This vulnerability allows attackers to upload arbitrary files to WordPress sites running the AI Engine: ChatGPT Chatbot plugin. Attackers can exploit this to upload malicious files like PHP shells, potentially gaining full control of affected websites. All WordPress sites using vulnerable versions of this plugin are affected.

📋 TL;DR

This vulnerability allows attackers to upload arbitrary files to WordPress sites running the AI Engine: ChatGPT Chatbot plugin. Attackers can exploit this to upload malicious files like PHP shells, potentially gaining full control of affected websites. All WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

AI Engine: ChatGPT Chatbot WordPress Plugin

Versions: n/a through 2.1.4

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with vulnerable plugin versions are affected regardless of configuration.

📦 What is this software?

Ai Engine by Meowapps

View all CVEs affecting Ai Engine →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to data theft, ransomware deployment, or use as part of a botnet.

🟠

Likely Case

Website defacement, malware distribution, or credential theft through uploaded web shells.

🟢

If Mitigated

Limited impact if file uploads are restricted at web server level or if intrusion detection systems block malicious payloads.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires no authentication and can be automated with simple scripts.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.5

Vendor Advisory: https://patchstack.com/database/vulnerability/ai-engine/wordpress-ai-engine-plugin-2-1-4-arbitrary-file-upload-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find 'AI Engine: ChatGPT Chatbot'. 4. Click 'Update Now' or manually update to version 2.1.5+. 5. Verify update completes successfully.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate ai-engine

Restrict Upload Directory

linux

Set web server permissions to prevent PHP execution in upload directories

chmod -R 644 /path/to/wp-content/uploads/
find /path/to/wp-content/uploads/ -name '*.php' -delete

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block file uploads to the vulnerable endpoint
Monitor file upload directories for suspicious PHP files and implement real-time alerting

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > AI Engine: ChatGPT Chatbot version. If version is 2.1.4 or lower, you are vulnerable.

Check Version:

wp plugin get ai-engine --field=version

Verify Fix Applied:

Confirm plugin version is 2.1.5 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /wp-content/plugins/ai-engine/ endpoints
File uploads with .php extensions in upload logs
Multiple failed upload attempts from single IP

Network Indicators:

HTTP POST requests with file uploads to AI Engine plugin endpoints
Traffic spikes to /wp-content/uploads/ directories

SIEM Query:

source="web_server" AND (uri_path="/wp-content/plugins/ai-engine/*" AND method="POST") AND (file_extension="php" OR file_extension="phtml")

📊 Metadata

CVE ID: CVE-2024-29100

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-434

Published: March 28, 2024

Last Updated: April 8, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-29100, you might also want to check these: