CVE-2025-8268
📋 TL;DR
The AI Engine WordPress plugin up to version 2.9.5 lacks proper authentication checks in its REST API endpoints, allowing unauthenticated attackers to list and delete files uploaded by other users. This affects all WordPress sites using vulnerable versions of the AI Engine plugin, potentially exposing sensitive user data and causing data loss.
💻 Affected Systems
- AI Engine WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers delete all user-uploaded files, causing permanent data loss and service disruption, while also enumerating sensitive file information for further attacks.
Likely Case
Attackers delete random user files causing data loss and operational issues, or enumerate files to identify sensitive information for subsequent attacks.
If Mitigated
With proper network segmentation and file backups, impact is limited to temporary service disruption until files are restored from backups.
🎯 Exploit Status
Exploitation requires only HTTP requests to specific REST endpoints without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 2.9.6 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/ai-engine
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find AI Engine plugin. 4. Click 'Update Now' if update available. 5. If no update, manually download version 2.9.6+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable AI Engine Plugin
allTemporarily deactivate the vulnerable plugin until patched.
wp plugin deactivate ai-engine
Restrict REST API Access
allBlock access to vulnerable REST endpoints using web application firewall or .htaccess rules.
# Add to .htaccess:
RewriteCond %{REQUEST_URI} ^/wp-json/ai-engine/v1/(list|delete)_files
RewriteRule ^ - [F]
🧯 If You Can't Patch
- Implement strict network access controls to limit plugin REST API access to trusted IPs only.
- Enable comprehensive file backup system with frequent backups and test restoration procedures.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → AI Engine → Version. If version is 2.9.5 or lower, system is vulnerable.Check Version:
wp plugin get ai-engine --field=versionVerify Fix Applied:
After update, verify AI Engine plugin version shows 2.9.6 or higher in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- HTTP 200/204 responses to /wp-json/ai-engine/v1/list_files or /wp-json/ai-engine/v1/delete_files from unauthenticated IPs
- Unusual file deletion patterns in file system logs
Network Indicators:
- HTTP GET/POST requests to /wp-json/ai-engine/v1/list_files or /wp-json/ai-engine/v1/delete_files without authentication headers
SIEM Query:
source="web_server" AND (uri_path="/wp-json/ai-engine/v1/list_files" OR uri_path="/wp-json/ai-engine/v1/delete_files") AND NOT (user_agent="WordPress/*" OR http_user_agent="*bot*")🔗 References
- https://plugins.trac.wordpress.org/browser/ai-engine/tags/2.9.5/classes/modules/files.php#L518
- https://plugins.trac.wordpress.org/browser/ai-engine/tags/2.9.5/classes/modules/files.php#L645
- https://plugins.trac.wordpress.org/browser/ai-engine/tags/2.9.5/classes/modules/files.php#L664
- https://www.wordfence.com/threat-intel/vulnerabilities/id/be39e24f-d7d7-44db-9ffd-a4605de8e577?source=cve
