Vulnerabiltiy in AI Engine for WordPress plugin - Affinite.io

In July 2025, the Wordfence security team identified a critical arbitrary file upload vulnerability in the AI Engine plugin for WordPress, affecting approximately 100,000 active installations. This flaw allowed attackers to upload arbitrary files (e.g., PHP) without authentication, potentially leading to full site takeover.

Vulnerability Overview

1. What is an arbitrary file upload?

This type of vulnerability occurs when a plugin allows uploading files without proper validation—allowing an attacker to upload a malicious file (like PHP), which can then be executed on the server. This often leads to remote code execution (RCE) or full site compromise.

2. Specific mechanism in the AI Engine plugin

This flaw was fixed in version 2.9.5. All previous versions are considered vulnerable.

Impact and Risks

Vulnerability Summary

VulnerabilityPermissionsWhat Attackers Can DoFix
Arbitrary File UploadNo login requiredUpload PHP/XSS/malicious filesFile type and extension validation
Missing Permission CheckREST API open to allCall API endpoints without restrictionsImplement permission_callback check

How to Fix and Protect

Recommendations for Site Owners

If your website uses the AI Engine plugin:

Conclusion

The vulnerability in the AI Engine plugin allowed unauthorized file uploads and potential site takeover. It has been patched in version 2.9.5, and all site owners are strongly encouraged to update immediately. This incident highlights the importance of regular updates, proper API permission checks, and layered security mechanisms.

If you need help verifying plugin versions or securing your WordPress site, don’t hesitate to reach out.

Effective Page Transition Animations in WordPress: The View Transitions Plugin
Effective Page Transition Animations in WordPress: The View Transitions Plugin
18 Jul, 2025

Looking for something?