Vulnerability in WordPress AI Engine Plugin Affects 100,000+ Websites
A newly discovered security flaw in the popular AI Engine WordPress plugin, used on over 100,000 websites, has raised fresh concerns in the WordPress community. This marks the fifth vulnerability reported in the plugin in 2025, and the fourth just in the month of July.
High-Risk Vulnerability Rated 8.8
The latest vulnerability, rated 8.8 out of 10, allows attackers with only subscriber-level access to upload malicious files when the plugin’s REST API is enabled. While not as severe as unauthenticated exploits, the low level of access required makes this a serious threat.
The issue stems from a lack of proper file type validation in versions 2.9.3 and 2.9.4, specifically within a function tied to the plugin’s REST API. Without validation, malicious users can upload files that may lead to remote code execution on the affected server.
Wordfence Explains the Risk
According to a Wordfence advisory, the flaw:
“Allows authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site’s server when the REST API is enabled, which may make remote code execution possible.”
This kind of vulnerability can be particularly dangerous if not addressed promptly, as it could give attackers a foothold into the server.
Patch Available in Version 2.9.5
The plugin’s developer has released a security patch in version 2.9.5, which addresses multiple issues:
- ✅ Fixed a Server-Side Request Forgery (SSRF) vulnerability by validating URL schemes in the audio transcription feature.
- ✅ Sanitised REST API parameters to prevent misuse of API keys.
- ✅ Most critically, added strict file type validation to block unauthorized PHP file execution.
A Troubling Trend
This vulnerability follows four others discovered this year, highlighting a growing pattern. In comparison, nine vulnerabilities were reported in 2024 alone, including one with a severity rating of 9.8 that allowed unauthenticated file uploads, and another rated 9.1.
What Site Owners Should Do
If you’re using the AI Engine plugin, it’s highly recommended to update immediately to version 2.9.5 or later. Ensuring your plugins are up to date is one of the most effective ways to keep your WordPress site secure.