cleantalk
Vulnerabilities and Security Researches

AI Engine, CVE-2025-7780

CVE, Research URL

CVE-2025-7780

Application

AI Engine

Published on
Jul 24, 2025
Research Description
The AI Engine plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.4. The simpleTranscribeAudio endpoint fails to restrict URL schemes before calling get_audio(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to read any file on the web server and exfiltrate it via the plugin’s OpenAI API integration.
Affected versions
Min -, max 2.9.5.
Status
vulnerable