CVE-2025-13380 – This vulnerability allows authenticated WordPre... (How to Fix)

Q: What is the severity of CVE-2025-13380?

CVE-2025-13380 has a CVSS score of 6.5 (MEDIUM). This vulnerability allows authenticated WordPress users with Contributor-level access or higher to read arbitrary files on the server through the AI Engine plugin. Attackers can exploit insufficient path validation and unrestricted URL protocols to access sensitive files like configuration files, database credentials, or other private data. All WordPress sites using vulnerable versions of the AI Engine plugin are affected.

📋 TL;DR

This vulnerability allows authenticated WordPress users with Contributor-level access or higher to read arbitrary files on the server through the AI Engine plugin. Attackers can exploit insufficient path validation and unrestricted URL protocols to access sensitive files like configuration files, database credentials, or other private data. All WordPress sites using vulnerable versions of the AI Engine plugin are affected.

💻 Affected Systems

Products:

AI Engine for WordPress: ChatGPT, GPT Content Generator plugin

Versions: All versions up to and including 1.0.1

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin enabled and at least one authenticated user with Contributor role or higher.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain database credentials, SSH keys, or other sensitive configuration files leading to full system compromise, data theft, or lateral movement within the network.

🟠

Likely Case

Attackers read WordPress configuration files (wp-config.php) containing database credentials, potentially leading to database access and site takeover.

🟢

If Mitigated

With proper access controls and network segmentation, impact is limited to file read within the web server's accessible directories.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward with publicly available proof-of-concept code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.2 or later

Vendor Advisory: https://plugins.trac.wordpress.org/browser/liquid-chatgpt/tags/1.0.2/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'AI Engine for WordPress: ChatGPT, GPT Content Generator'. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 1.0.2+ from WordPress plugin repository and manually update.

🔧 Temporary Workarounds

Disable vulnerable AJAX endpoint

all

Remove or restrict access to the vulnerable 'lqdai_update_post' AJAX endpoint

Add to theme's functions.php or custom plugin: remove_action('wp_ajax_lqdai_update_post', 'lqdai_update_post');

Restrict user roles

all

Temporarily remove Contributor and higher roles from untrusted users

🧯 If You Can't Patch

Immediately disable the AI Engine plugin via WordPress admin or by renaming its directory
Implement web application firewall rules to block requests to the vulnerable AJAX endpoints

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for 'AI Engine for WordPress' version 1.0.1 or earlier

Check Version:

wp plugin list --name='AI Engine for WordPress' --field=version (if WP-CLI installed)

Verify Fix Applied:

Confirm plugin version is 1.0.2 or later in WordPress admin plugins page

📡 Detection & Monitoring

Log Indicators:

POST requests to /wp-admin/admin-ajax.php with action=lqdai_update_post containing file paths
File read attempts on sensitive paths like wp-config.php, /etc/passwd, or other system files

Network Indicators:

Unusual outbound connections from web server to internal resources following file read attempts

SIEM Query:

source="web_access_logs" AND uri="/wp-admin/admin-ajax.php" AND post_data="action=lqdai_update_post" AND (post_data CONTAINS "../" OR post_data CONTAINS "/etc/" OR post_data CONTAINS "wp-config")

📊 Metadata

CVE ID: CVE-2025-13380

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-73

EPSS Score: 0.02% exploit probability (4.5th percentile)

Published: November 25, 2025

Last Updated: November 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13380, you might also want to check these: