AI Threat Alert

CVE-2025-7780: WordPress AI Engine: SSRF leaks files via OpenAI API

MEDIUM
Published July 24, 2025
CISO Take

Any authenticated WordPress subscriber can read arbitrary server files (wp-config.php, .env, credentials) and exfiltrate them through your own OpenAI API key. Update AI Engine plugin to 2.9.5+ immediately or disable it until patched. Review OpenAI API usage logs for unexpected non-audio content in transcription requests.

What is the risk?

CVSS 6.5 understates operational risk. Low-privilege exploitation (subscriber account) with network access and no user interaction makes this trivially weaponizable at scale against WordPress sites. The exfiltration vector through the site's own OpenAI API key is novel: the attacker pays nothing and leaves traces in the victim's API logs, not their own. High exposure surface given AI Engine's wide WordPress adoption.

How severe is it?

CVSS 3.1
6.5 / 10
EPSS
0.5%
chance of exploitation in 30 days
Higher than 38% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I None
A None

What should I do?

5 steps

  1. PATCH

    Update AI Engine plugin to 2.9.5+ immediately (changeset 3332540 addresses the URL scheme restriction).

  2. TEMPORARY WORKAROUND

    If patching is delayed, disable the AI Engine plugin or block POST requests to the simpleTranscribeAudio endpoint via WAF rule.

  3. DETECTION

    Review OpenAI API logs for transcription requests containing structured text (JSON, PHP, INI format) rather than audio metadata.

  4. POST-INCIDENT: If exploitation suspected, rotate all secrets in wp-config.php, .env files, and any credentials readable by the web server process.

  5. HARDEN

    Restrict web server file permissions; ensure the web process cannot read files outside the webroot.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Data Leakage Auth Bypass Plugin API AML.T0012 AML.T0024 AML.T0037 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

ISO 42001
A.6.1.4 - Information security for AI systems A.9.3 - AI system access control
NIST AI RMF
GOVERN-1.7 - Processes for AI risk management MANAGE-2.2 - Mechanisms to sustain effectiveness of AI risk management
OWASP LLM Top 10
LLM02 - Sensitive Information Disclosure LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-7780?

Any authenticated WordPress subscriber can read arbitrary server files (wp-config.php, .env, credentials) and exfiltrate them through your own OpenAI API key. Update AI Engine plugin to 2.9.5+ immediately or disable it until patched. Review OpenAI API usage logs for unexpected non-audio content in transcription requests.

Is CVE-2025-7780 actively exploited?

No confirmed active exploitation of CVE-2025-7780 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-7780?

1. PATCH: Update AI Engine plugin to 2.9.5+ immediately (changeset 3332540 addresses the URL scheme restriction). 2. TEMPORARY WORKAROUND: If patching is delayed, disable the AI Engine plugin or block POST requests to the simpleTranscribeAudio endpoint via WAF rule. 3. DETECTION: Review OpenAI API logs for transcription requests containing structured text (JSON, PHP, INI format) rather than audio metadata. 4. POST-INCIDENT: If exploitation suspected, rotate all secrets in wp-config.php, .env files, and any credentials readable by the web server process. 5. HARDEN: Restrict web server file permissions; ensure the web process cannot read files outside the webroot.

What systems are affected by CVE-2025-7780?

This vulnerability affects the following AI/ML architecture patterns: WordPress AI plugin deployments, LLM API integrations, OpenAI Whisper integrations, Server-side AI processing pipelines.

What is the CVSS score for CVE-2025-7780?

CVE-2025-7780 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.48%.

What is the AI security impact?

Affected AI Architectures

WordPress AI plugin deploymentsLLM API integrationsOpenAI Whisper integrationsServer-side AI processing pipelines

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0024 Exfiltration via AI Inference API
AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

ISO 42001: A.6.1.4, A.9.3
NIST AI RMF: GOVERN-1.7, MANAGE-2.2
OWASP LLM Top 10: LLM02, LLM06

What are the technical details?

Original Advisory

The AI Engine plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.4. The simpleTranscribeAudio endpoint fails to restrict URL schemes before calling get_audio(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to read any file on the web server and exfiltrate it via the plugin’s OpenAI API integration.

Exploitation Scenario

An adversary registers a free subscriber account on a target WordPress site (common in sites with open registration). They craft a POST request to the simpleTranscribeAudio endpoint with a URL parameter set to file:///var/www/html/wp-config.php. The plugin calls get_audio() without scheme validation, reads the file contents, and submits them to OpenAI's Whisper transcription endpoint using the site's own API key. The API response (or error message containing the file data) is returned to the attacker. The attacker repeats this for /etc/passwd, .env, application secrets, and any other file accessible to the web process — all billed to the victim's OpenAI account.

Weaknesses (CWE)

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

  • [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
July 24, 2025
Last Modified
April 15, 2026
First Seen
July 24, 2025

Related Vulnerabilities

CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Data Leakage
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Data Leakage
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Data Extraction
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same attack type: Data Extraction
Back to Threat Feed