AI Threat Alert

CVE-2024-52384: Sage AI Plugin: unrestricted upload → web shell RCE

CRITICAL
Published November 14, 2024
CISO Take

Any WordPress site running the Sage AI plugin ≤2.4.9 is critically exposed: a low-privilege account is all it takes to upload a PHP web shell and own the server. Patch immediately, rotate all OpenAI API keys stored in that WordPress instance, and audit wp-content/uploads for existing shells. Treat this as a confirmed breach until proven otherwise.

What is the risk?

CVSS 9.9 with Scope:Changed signals this is more dangerous than a typical plugin flaw — exploitation is trivially easy (low privilege, no user interaction, network-accessible) and impact cascades beyond WordPress to the entire hosting environment. AI-integrated WordPress sites are particularly high-value targets: they store OpenAI API keys, DALL-E credentials, and often handle user-submitted prompts, making them attractive for API key theft and cost-harvesting campaigns. No active KEV listing yet, but the low barrier to exploitation makes weaponization highly likely.

How severe is it?

CVSS 3.1
9.9 / 10
EPSS
0.5%
chance of exploitation in 30 days
Higher than 38% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Changed
C High
I High
A High

What should I do?

6 steps

  1. PATCH

    Update Sage AI plugin to the latest version immediately (2.4.10+). If patching is not immediately possible, deactivate the plugin.

  2. ROTATE

    Invalidate and regenerate all OpenAI API keys associated with the affected WordPress installation via the OpenAI dashboard.

  3. AUDIT

    Scan wp-content/uploads and all writable directories for .php files — any PHP file in these paths is a likely web shell. Use tools like NinjaScanner or manual find commands.

  4. HARDEN

    Add 'php_flag engine off' to wp-content/uploads/.htaccess to block PHP execution in upload directories regardless of patch status.

  5. RESTRICT

    Limit file upload permissions to admin roles only in WordPress user management.

  6. MONITOR

    Alert on creation of executable files in web-accessible directories via file integrity monitoring (Wordfence, Sucuri, or auditd on the host).

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Data Extraction Auth Bypass Plugin API AML.T0034 AML.T0040 AML.T0049 AML.T0055 AML.T0072

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 9 - Risk Management System
ISO 42001
A.6.2 - Information Security for AI Systems
NIST AI RMF
GOVERN-1.7 - Third-Party AI Component Risk Management MANAGE-2.2 - Risk Treatment and Incident Response
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2024-52384?

Any WordPress site running the Sage AI plugin ≤2.4.9 is critically exposed: a low-privilege account is all it takes to upload a PHP web shell and own the server. Patch immediately, rotate all OpenAI API keys stored in that WordPress instance, and audit wp-content/uploads for existing shells. Treat this as a confirmed breach until proven otherwise.

Is CVE-2024-52384 actively exploited?

No confirmed active exploitation of CVE-2024-52384 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-52384?

1. PATCH: Update Sage AI plugin to the latest version immediately (2.4.10+). If patching is not immediately possible, deactivate the plugin. 2. ROTATE: Invalidate and regenerate all OpenAI API keys associated with the affected WordPress installation via the OpenAI dashboard. 3. AUDIT: Scan wp-content/uploads and all writable directories for .php files — any PHP file in these paths is a likely web shell. Use tools like NinjaScanner or manual find commands. 4. HARDEN: Add 'php_flag engine off' to wp-content/uploads/.htaccess to block PHP execution in upload directories regardless of patch status. 5. RESTRICT: Limit file upload permissions to admin roles only in WordPress user management. 6. MONITOR: Alert on creation of executable files in web-accessible directories via file integrity monitoring (Wordfence, Sucuri, or auditd on the host).

What systems are affected by CVE-2024-52384?

This vulnerability affects the following AI/ML architecture patterns: WordPress AI chatbot deployments, LLM API integration plugins, AI content generation platforms, OpenAI-integrated web applications.

What is the CVSS score for CVE-2024-52384?

CVE-2024-52384 has a CVSS v3.1 base score of 9.9 (CRITICAL). The EPSS exploitation probability is 0.48%.

What is the AI security impact?

Affected AI Architectures

WordPress AI chatbot deploymentsLLM API integration pluginsAI content generation platformsOpenAI-integrated web applications

MITRE ATLAS Techniques

AML.T0034 Cost Harvesting
AML.T0040 AI Model Inference API Access
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials
AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Art. 9
ISO 42001: A.6.2
NIST AI RMF: GOVERN-1.7, MANAGE-2.2
OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

Unrestricted Upload of File with Dangerous Type vulnerability in Sage AI Sage AI: Chatbots, OpenAI GPT-4 Bulk Articles, Dalle-3 Image Generation allows Upload a Web Shell to a Web Server.This issue affects Sage AI: Chatbots, OpenAI GPT-4 Bulk Articles, Dalle-3 Image Generation: from n/a through 2.4.9.

Exploitation Scenario

An adversary identifies a WordPress site using the Sage AI plugin via WPScan or passive reconnaissance on plugin footprints. They register as a subscriber (or use a previously compromised low-privilege account). Using the plugin's file upload endpoint — intended for AI-related media assets — the attacker submits a crafted multipart POST request with a PHP web shell named with a double extension or MIME type bypass (e.g., shell.php.jpg). The plugin stores the file in a web-accessible uploads directory without validating the actual file content. The attacker then browses directly to the uploaded shell URL and executes arbitrary OS commands, extracting wp-config.php and the full database dump. OpenAI API keys are harvested and immediately used for bulk GPT-4 content generation or sold, while the compromised server may be enrolled in a botnet or used as a staging point for lateral movement.

Weaknesses (CWE)

CWE-434 Unrestricted Upload of File with Dangerous Type

CWE-434 — Unrestricted Upload of File with Dangerous Type: The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

  • [Architecture and Design] Generate a new, unique filename for an uploaded file instead of using the user-supplied filename, so that no external input is used at all.[REF-422] [REF-423]
  • [Architecture and Design] When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

Timeline

Published
November 14, 2024
Last Modified
November 15, 2024
First Seen
November 14, 2024

Related Vulnerabilities

CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Data Extraction
CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Code Execution
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Data Extraction
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same attack type: Code Execution
Back to Threat Feed