Vulnerabilities and security researches forai-engine ai-engine

Jul 02, 2025

CVE, Research URL: CVE-2025-5071
Home page URL: Security reports for AI Engine
Application: AI Engine
Date: Jun 19, 2025
Research Description: The AI Engine plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'Meow_MWAI_Labs_MCP::can_access_mcp' function in versions 2.8.0 to 2.8.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to have full access to the MCP and run various commands like 'wp_create_user', 'wp_update_user' and 'wp_update_option', which can be used for privilege escalation, and 'wp_update_post', 'wp_delete_post', 'wp_update_comment' and 'wp_delete_comment', which can be used to edit and delete posts and comments.
Affected versions: Min -, max -.
Status: vulnerable

May 06, 2025

CVE, Research URL: CVE-2023-4253
Home page URL: Security reports for AI Engine
Application: AI Engine
Date: Sep 04, 2023
Research Description: The AI ChatBot WordPress plugin before 4.7.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Affected versions: Min -, max -.
Status: vulnerable

Dec 12, 2024

CVE, Research URL: CVE-2024-10499
Home page URL: Security reports for AI Engine
Application: AI Engine
Date: Dec 12, 2024
Research Description: The AI Engine WordPress plugin before 2.6.5 does not sanitize and escape a parameter from one of its RESP API endpoint before using it in a SQL statement, allowing admins to perform SQL injection attacks
Affected versions: Min -, max -.
Status: vulnerable

Sep 15, 2024

CVE, Research URL: CVE-2024-6723
Home page URL: Security reports for AI Engine
Application: AI Engine
Date: Sep 13, 2024
Research Description: The AI Engine WordPress plugin before 2.4.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin users when viewing chatbot discussions.
Affected versions: Min -, max -.
Status: vulnerable

Aug 21, 2024

CVE, Research URL: CVE-2024-6451
Home page URL: Security reports for AI Engine
Application: AI Engine
Date: Aug 19, 2024
Research Description: AI Engine < 2.4.3 is susceptible to remote-code-execution (RCE) via Log Poisoning. The AI Engine WordPress plugin before 2.5.1 fails to validate the file extension of "logs_path", allowing Administrators to change log filetypes from .log to .php.
Affected versions: Min -, max -.
Status: vulnerable

Jul 26, 2024

CVE, Research URL: CVE-2024-38791
Home page URL: Security reports for AI Engine
Application: AI Engine
Date: Aug 02, 2024
Research Description: Server-Side Request Forgery (SSRF) vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot allows Server Side Request Forgery.This issue affects AI Engine: ChatGPT Chatbot: from n/a through 2.4.7.
Affected versions: Min -, max -.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: 79caac2c3bd13a2edc1a48183f8fe12c9f7ff876
Home page URL: Security reports for AI Engine
Application: AI Engine
Date: May 19, 2023
Research Description: AI Engine [ai-engine] < 1.6.83 AI Engine: ChatGPT Chatbot, Content Generator, GPT 3 & 4, Ultra-Customizable <= 1.6.82 - Authenticated (Admin+) Stored Cross-Site Scripting The AI Engine: ChatGPT Chatbot, Content Generator, GPT 3 & 4, Ultra-Customizable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's settings in versions up to, and including, 1.6.82 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2024-0699
Home page URL: Security reports for AI Engine
Application: AI Engine
Date: Feb 06, 2024
Research Description: The AI Engine: Chatbots, Generators, Assistants, GPT 4 and more! plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'add_image_from_url' function in all versions up to, and including, 2.1.4. This makes it possible for authenticated attackers, with Editor access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2023-51409
Home page URL: Security reports for AI Engine
Application: AI Engine
Date: Apr 12, 2024
Research Description: Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot.This issue affects AI Engine: ChatGPT Chatbot: from n/a through 1.9.98.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2024-0378
Home page URL: Security reports for AI Engine
Application: AI Engine
Date: Mar 02, 2024
Research Description: The AI Engine: Chatbots, Generators, Assistants, GPT 4 and more! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the AI chat data when discussion tracking is enabled in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2024-29100
Home page URL: Security reports for AI Engine
Application: AI Engine
Date: Mar 28, 2024
Research Description: Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot.This issue affects AI Engine: ChatGPT Chatbot: from n/a through 2.1.4.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2024-29090
Home page URL: Security reports for AI Engine
Application: AI Engine
Date: Mar 28, 2024
Research Description: Server-Side Request Forgery (SSRF) vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot.This issue affects AI Engine: ChatGPT Chatbot: from n/a through 2.1.4.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2023-2580
Home page URL: Security reports for AI Engine
Application: AI Engine
Date: Jun 27, 2023
Research Description: The AI Engine WordPress plugin before 1.6.83 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2024-34440
Home page URL: Security reports for AI Engine
Application: AI Engine
Date: May 14, 2024
Research Description: Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot.This issue affects AI Engine: ChatGPT Chatbot: from n/a through 2.2.63.
Affected versions: Min -, max -.
Status: vulnerable