CVE-2024-10392 (CVSS 9.8): Popular WordPress AI Plugin Exposed to Critical Security Risk
Website owners using the AI Power: Complete AI Pack plugin are urged to update to the latest version immediately to patch a critical vulnerability that could lead to complete site takeover.
The flaw, tracked as CVE-2024-10392 and assigned a CVSS score of 9.8, allows unauthenticated attackers to upload arbitrary files to vulnerable websites. This could enable them to execute malicious code and gain full control of the site.
The vulnerability stems from a lack of file type validation in the plugin’s handle_image_upload function. This function, used for handling image uploads in chats with GPT-4 models, fails to adequately check the type of file being uploaded. As a result, attackers can upload files with malicious PHP code disguised as images.
Since the uploaded files are stored in the publicly accessible WordPress uploads folder, attackers can then execute this code and compromise the entire website.
Successful exploitation of this vulnerability could have devastating consequences, including:
- Website Defacement: Attackers could alter the website’s content or appearance.
- Data Breaches: Sensitive user data, including login credentials and financial information, could be stolen.
- Malware Distribution: Attackers could use the compromised website to distribute malware to unsuspecting visitors.
- Search Engine Ranking Manipulation: Attackers could manipulate the website’s SEO to harm its search engine rankings.
Security researcher vgo0 discovered and responsibly disclosed this vulnerability through the Wordfence Bug Bounty Program, earning a bounty of $650 for their efforts.
The developers of AI Power: Complete AI Pack have addressed this vulnerability in version 1.8.90. All users are strongly advised to update to this version immediately.
