Skip to content

Arbitrary File Upload flaw in AI Power plugin affects 10,000+ sites

  • by
  • 2 min read

A critical vulnerability, CVE-2024-10392 (CVSS score of 9.8), in the widely used AI Power: Complete AI Pack WordPress plugin affects more than 10,000 websites worldwide. The flaw, present in versions up to and including 1.8.89, enables attackers to upload arbitrary files to a website’s server, potentially allowing them to execute malicious code remotely—a severe threat to site security.

The Arbitrary File Upload vulnerability stems from the plugin’s ‘handle_image_upload’ function, a critical feature for uploading images during AI-powered chat interactions. Notably, this function lacks adequate validation to restrict file types, leaving the door open for malicious files to be uploaded to the WordPress uploads directory.

In the worst-case scenario, attackers could upload and execute harmful PHP files, putting them in control of the site’s backend, which could lead to full site compromise through methods like webshells.

To fix the flaw, download the patched version, 1.8.90.

Security analysis by researchers reveals that due to the absence of file type checks, attackers could exploit the file upload process. The plugin’s default setting uploads files to the WordPress filesystem without verifying file extensions, enabling attackers to deploy PHP scripts.

“Unfortunately, the function does not include any file type or extension checks in the vulnerable version. This means that not only image files can be uploaded, but it is also possible to upload files with a .php extension,” researchers explain. “The file is uploaded to the WordPress uploads folder, which is publicly accessible by default. This makes it possible for unauthenticated attackers to upload arbitrary malicious PHP code and then access the file to trigger remote code execution on the server.”

Once in the system, these scripts can be accessed and executed remotely, granting attackers complete control over the site.

Earlier, the JS Help Desk plugin was exposed to a remote code execution (RCE) flaw, which affected more than 5,000 sites. A few months before, four WordPress plugins were hit by a supply chain attack.

Perhaps one of the biggest critical flaws was discovered in the LiteSpeed Cache affecting more than six million websites.

In the News: FakeCall malware leverages Vishing to hijack mobile calls

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>