CVE-2025-7780 — MEDIUM (CVSS 6.5) AI Security Vulnerability

CISO Take

Any authenticated WordPress subscriber can read arbitrary server files (wp-config.php, .env, credentials) and exfiltrate them through your own OpenAI API key. Update AI Engine plugin to 2.9.5+ immediately or disable it until patched. Review OpenAI API usage logs for unexpected non-audio content in transcription requests.

Risk Assessment

CVSS 6.5 understates operational risk. Low-privilege exploitation (subscriber account) with network access and no user interaction makes this trivially weaponizable at scale against WordPress sites. The exfiltration vector through the site's own OpenAI API key is novel: the attacker pays nothing and leaves traces in the victim's API logs, not their own. High exposure surface given AI Engine's wide WordPress adoption.

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 25% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I None

A None

Recommended Action

5 steps

PATCH

Update AI Engine plugin to 2.9.5+ immediately (changeset 3332540 addresses the URL scheme restriction).
TEMPORARY WORKAROUND

If patching is delayed, disable the AI Engine plugin or block POST requests to the simpleTranscribeAudio endpoint via WAF rule.
DETECTION

Review OpenAI API logs for transcription requests containing structured text (JSON, PHP, INI format) rather than audio metadata.
POST-INCIDENT: If exploitation suspected, rotate all secrets in wp-config.php, .env files, and any credentials readable by the web server process.
HARDEN

Restrict web server file permissions; ensure the web process cannot read files outside the webroot.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Data Leakage Auth Bypass Plugin API AML.T0012 - Valid Accounts AML.T0024 - Exfiltration via AI Inference API AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

ISO 42001

A.6.1.4 - Information security for AI systems A.9.3 - AI system access control

NIST AI RMF

GOVERN-1.7 - Processes for AI risk management MANAGE-2.2 - Mechanisms to sustain effectiveness of AI risk management

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-7780?

Any authenticated WordPress subscriber can read arbitrary server files (wp-config.php, .env, credentials) and exfiltrate them through your own OpenAI API key. Update AI Engine plugin to 2.9.5+ immediately or disable it until patched. Review OpenAI API usage logs for unexpected non-audio content in transcription requests.

Is CVE-2025-7780 actively exploited?

No confirmed active exploitation of CVE-2025-7780 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-7780?

1. PATCH: Update AI Engine plugin to 2.9.5+ immediately (changeset 3332540 addresses the URL scheme restriction). 2. TEMPORARY WORKAROUND: If patching is delayed, disable the AI Engine plugin or block POST requests to the simpleTranscribeAudio endpoint via WAF rule. 3. DETECTION: Review OpenAI API logs for transcription requests containing structured text (JSON, PHP, INI format) rather than audio metadata. 4. POST-INCIDENT: If exploitation suspected, rotate all secrets in wp-config.php, .env files, and any credentials readable by the web server process. 5. HARDEN: Restrict web server file permissions; ensure the web process cannot read files outside the webroot.

What systems are affected by CVE-2025-7780?

This vulnerability affects the following AI/ML architecture patterns: WordPress AI plugin deployments, LLM API integrations, OpenAI Whisper integrations, Server-side AI processing pipelines.

What is the CVSS score for CVE-2025-7780?

CVE-2025-7780 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.09%.

Technical Details

NVD Description

The AI Engine plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.4. The simpleTranscribeAudio endpoint fails to restrict URL schemes before calling get_audio(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to read any file on the web server and exfiltrate it via the plugin’s OpenAI API integration.

Exploitation Scenario

An adversary registers a free subscriber account on a target WordPress site (common in sites with open registration). They craft a POST request to the simpleTranscribeAudio endpoint with a URL parameter set to file:///var/www/html/wp-config.php. The plugin calls get_audio() without scheme validation, reads the file contents, and submits them to OpenAI's Whisper transcription endpoint using the site's own API key. The API response (or error message containing the file data) is returned to the attacker. The attacker repeats this for /etc/passwd, .env, application secrets, and any other file accessible to the web process — all billed to the victim's OpenAI account.