cleantalk
Vulnerabilities and Security Researches

AI Engine, CVE-2025-5570

CVE, Research URL

CVE-2025-5570

Home page URL

Security reports for AI Engine

Application

AI Engine

Published on
Jul 08, 2025
Research Description
The AI Engine plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the mwai_chatbot shortcode 'id' parameter in all versions up to, and including, 2.8.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
Min -, max 2.8.5.
Status
vulnerable
Previous vulnerability researches
a3 Portfolio (d1b0f784da3ca0f399c542515fda1423816819f0) , Jun 07, 2024
a3 Portfolio (CVE-2023-29097) , Jun 07, 2024
New vulnerability
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders (CVE-2025-6244) , Jul 09, 2025
AI Engine (CVE-2025-5570) , Jul 09, 2025
Guest Support – Complete customer support ticket system for WordPress (CVE-2025-5957) , Jul 08, 2025
Contact Form 7 reCAPTCHA (CVE-2025-23972) , Jul 08, 2025
Easy Stripe (CVE-2025-49302) , Jul 08, 2025