A critical vulnerability has been found in the AI Engine WordPress plugin, which has over 100,000 active installations. If the vulnerability is exploited, it can let attackers upload any file, including malicious ones, and take over your entire site.
The Versions 2.9.3 and 2.9.4 of the AI Engine plugin are vulnerable to Remote Code Execution. It allows authenticated users to upload arbitrary files to a WordPress site. An attacker could upload a malicious PHP file and gain full control over the server.
Security researcher ISMAILSHADOW found the vulnerability and responsibly reported the flaw through the Wordfence Bug Bounty Program. He also earned $1,170 bounty.
It is important to note that not all websites using the plugin are vulnerable. If the website has enabled the “Public API” feature and has not configured any API authentication, like a Bearer Token, it is wide open for attackers.
The developer of AI Engine, Jordy Meow, patched the issue quickly. Version 2.9.5 of the plugin includes a fix that now blocks dangerous file types using wp_check_filetype(). If you use the plugin, update it to v2.9.5 immediately. If you are using the “Public API”, make sure you configure authentication.
Security is not a one-time task — it is an ongoing process. I have said this in several of my blog posts before, and it is still true. Always keep your WordPress core, plugins, and themes up to date. Most vulnerabilities get patched quickly, but only if you install the updates. Use reliable security plugins like Wordfence, Sucuri, or iThemes Security to add a firewall and enable malware scanning.
Even with all precautions in place, no system is 100% safe. That is why regular backups are essential. If something goes wrong, backups are your safety net to restore everything without panic.
