High severity7.2NVD Advisory· Published Jan 28, 2026· Updated Apr 15, 2026
CVE-2026-1400
CVE-2026-1400
Description
The AI Engine – The Chatbot and AI Framework for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the rest_helpers_update_media_metadata function in all versions up to, and including, 3.3.2. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The attacker can upload a benign image file, then use the update_media_metadata endpoint to rename it to a PHP file, creating an executable PHP file in the uploads directory.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- plugins.trac.wordpress.org/browser/ai-engine/tags/3.3.0/classes/rest.phpnvd
- plugins.trac.wordpress.org/browser/ai-engine/tags/3.3.0/classes/rest.phpnvd
- plugins.trac.wordpress.org/changeset/3447500/ai-engine/trunk/classes/rest.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/d5227269-4406-4fcf-af37-f1db0af857d6nvd
News mentions
0No linked articles in our index yet.