AI Threat Alert
CVE-2025-7780
MEDIUMThe AI Engine plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.4. The simpleTranscribeAudio endpoint fails to restrict URL schemes before...
Full analysis pending. Showing NVD description excerpt.
Severity & Risk
Recommended Action
No patch available
Monitor for updates. Consider compensating controls or temporary mitigations.
Compliance Impact
Compliance analysis pending. Sign in for full compliance mapping when available.
Technical Details
NVD Description
The AI Engine plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.4. The simpleTranscribeAudio endpoint fails to restrict URL schemes before calling get_audio(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to read any file on the web server and exfiltrate it via the plugin’s OpenAI API integration.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References
- plugins.trac.wordpress.org/browser/ai-engine/tags/2.9.3/classes/api.php
- plugins.trac.wordpress.org/browser/ai-engine/tags/2.9.3/classes/engines/chatml.php
- plugins.trac.wordpress.org/changeset/3332540/
- wordpress.org/plugins/ai-engine/
- wordfence.com/threat-intel/vulnerabilities/id/513274bc-3016-4adb-be78-b13c5fae9c03