Flaw in AI Plugin Exposes 50,000 WordPress Sites to Remote Attack


A critical vulnerability has been identified in the world-renowned AI Engine plugin for WordPress, specifically affecting its free version with over 50,000 active installations. The plugin is widely recognized for its diverse AI-related functionalities, allowing users to create chatbots, manage content and utilize various AI tools such as translation, SEO keywords and more.

What caused the security flaw?

According to an advisory published today by Patchstack, the security flaw that caused the vulnerability is an unauthenticated arbitrary file upload within the plugin’s ‘rest_upload’ function within the files.php module. A file with .php extension refers to open source programming language (which by nature, isn’t owned by anybody). These are commonly used to write server-side scripts, which are then executed on a web server. It is the most extensively used web scripting language that lends itself perfectly to ensuring the time-effective development of large-scale web applications.The vulnerability permits any unauthenticated user to upload arbitrary files, including potentially malicious PHP files, which could lead to remote code execution on the affected system. Notably, the permission_callback parameter of the relevant REST API endpoint is set to __return_true, allowing any unauthenticated user to trigger the vulnerable function. The lack of proper file type and extension validation in the code allows for the upload of arbitrary files, posing a significant security risk.

To mitigate this vulnerability, the plugin’s development team introduced a patch in version 1.9.99. The patch implements a permission check on the custom REST API endpoint and incorporates file type and extension checks using the wp_check_filetype_and_ext function.

Patchstack recommendations

In light of these findings, users are strongly advised to update their AI Engine plugin to at least version 1.9.99 to ensure their systems are protected against potential exploitation. The identifier CVE-2023-51409 has been assigned to track the issue.

“Always check every process of $_FILES parameters in the plugin or theme code,” reads the Patchstack advisory. “Make sure to apply a check on the filename and extension before uploading the file. Also, pay extra attention to the permission checks on the custom REST API endpoints.”

Further defences against remote attacks

Users wanting to limit the remote cyber-attacks even further are advised to invest in and prioritise big data analytics (BDA). Investing in data analytics and tools enables the user to effectively manage all types of data within the business, which then gives a precise, clear insight into threats and opportunities to improve the current situation.

The role of Big Data analytics (BDA)

Big data analytics is pivotal to the successful defence against cyber threats. As the threats are continually evolving in terms of their sophistication and accessibility, users must be aware of up-to-date information and knowledge. In an ever-changing cyber environment, training and knowledge is key.

Big data analytics events and conferences are an excellent step in combating any potential future cyber threats.  Not only can you up-skill your teams with the most recent knowledge and education, but they also provide businesses with an invaluable opportunity to network and meet like-minded professionals. Having a sense of community in times of cyber uncertainty is key to success.