Critical WordPress AI Plugin Vulnerability Impacts 100K+ Sites

A critical security flaw in the popular AI Engine WordPress plugin has put over 100,000 websites at risk, marking the fourth major vulnerability discovered this month alone. The high-severity issue, scoring 8.8 out of 10, allows attackers with basic subscriber accounts to upload harmful files when the site’s REST API is active.

This latest security gap follows three other vulnerabilities identified earlier in July, bringing the total to five documented flaws in 2025. Last year wasn’t any better, nine vulnerabilities were reported, including one rated 9.8 that permitted unauthenticated attackers to upload malicious content and another 9.1-rated flaw with similar risks.

The current exploit is particularly concerning because it requires minimal access privileges. While unauthenticated attacks are worse, subscriber-level permissions are easy to obtain, making this vulnerability a serious threat. Security analysts at Wordfence traced the issue to inadequate file type validation in REST API functions within versions 2.9.3 and 2.9.4 of the plugin.

Proper file validation is a standard security practice in WordPress, ensuring uploaded files match their expected formats. Without it, attackers can slip harmful scripts into a site’s backend. Wordfence warns that this flaw could allow authenticated users to upload arbitrary files, potentially leading to remote code execution.

The plugin’s developers have released version 2.9.5 to address the issue. The update includes critical fixes such as stricter URL validation for audio transcription and enhanced REST API parameter sanitization to block unauthorized file uploads. Site administrators are urged to install the latest version immediately to mitigate risks.

(Source: Search Engine Journal)