CVE-2026-1400
📋 TL;DR
This vulnerability in the AI Engine WordPress plugin allows authenticated attackers with Editor-level access or higher to upload arbitrary files, including PHP files, to the server. Attackers can rename benign image files to PHP files via the update_media_metadata endpoint, potentially enabling remote code execution. WordPress sites using AI Engine plugin versions up to 3.3.2 are affected.
💻 Affected Systems
- AI Engine – The Chatbot and AI Framework for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through remote code execution, allowing attackers to install backdoors, steal data, deface websites, or pivot to other systems.
Likely Case
Attackers upload web shells to gain persistent access, modify site content, or install malware for cryptocurrency mining or DDoS participation.
If Mitigated
Attackers can only upload non-executable files, limiting impact to storage consumption or potential data exfiltration of uploaded files.
🎯 Exploit Status
Exploitation requires Editor-level credentials but follows simple steps: upload image, rename to PHP via API endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.3.3 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3447500/ai-engine/trunk/classes/rest.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find AI Engine plugin. 4. Click 'Update Now' if available, or download version 3.3.3+ from WordPress repository. 5. Activate updated plugin.
🔧 Temporary Workarounds
Disable AI Engine Plugin
allTemporarily deactivate the vulnerable plugin until patched
wp plugin deactivate ai-engine
Restrict Upload Directory Permissions
linuxSet uploads directory to prevent PHP execution
chmod 644 /path/to/wp-content/uploads/*.php
find /path/to/wp-content/uploads -name '*.php' -exec chmod 644 {} \;
🧯 If You Can't Patch
- Remove Editor role from untrusted users and implement principle of least privilege
- Implement web application firewall rules to block requests to update_media_metadata endpoint
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → AI Engine → Version. If version is 3.3.2 or lower, you are vulnerable.Check Version:
wp plugin get ai-engine --field=versionVerify Fix Applied:
Verify plugin version is 3.3.3 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-json/ai-engine/v1/update_media_metadata with file extension changes
- Multiple file uploads from single Editor-level user in short timeframe
- PHP files created in uploads directory with recent timestamps
Network Indicators:
- Unusual outbound connections from WordPress server following file uploads
- Traffic patterns suggesting web shell communication
SIEM Query:
source="wordpress.log" AND ("update_media_metadata" OR "/ai-engine/v1/") AND ("php" OR "extension")🔗 References
- https://plugins.trac.wordpress.org/browser/ai-engine/tags/3.3.0/classes/rest.php#L1104
- https://plugins.trac.wordpress.org/browser/ai-engine/tags/3.3.0/classes/rest.php#L1141
- https://plugins.trac.wordpress.org/changeset/3447500/ai-engine/trunk/classes/rest.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d5227269-4406-4fcf-af37-f1db0af857d6?source=cve
