MeldSecurity
Press Enter to search
CVE Database & Search →
Sign In Get Started

CVE-2026-1400

🔴 HIGH

The AI Engine – The Chatbot and AI Framework for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the `rest_helpers_update_media_metadata`...

Published
Jan 28, 2026
Last Modified
Jan 29, 2026
Views
6
Bookmarks
0

Description

Request Expert Review

The AI Engine – The Chatbot and AI Framework for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the `rest_helpers_update_media_metadata` function in all versions up to, and including, 3.3.2. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The attacker can upload a benign image file, then use the `update_media_metadata` endpoint to rename it to a PHP file, creating an executable PHP file in the uploads directory.

CVSS Scores

CVSS 3.1 7.2
7.2
HIGH
CVSS 2.0 7.2

References

plugins.trac.wordpress.org plugins.trac.wordpress.org plugins.trac.wordpress.org www.wordfence.com

Additional Information

Source
security@wordfence.com
State
Awaiting analysis

Related CVEs

CVE-2026-1793

MEDIUM

The Element Pack Addons for Elementor plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 8.3.17 via the...

Score: 6.5

CVE-2026-1750

HIGH

The Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.0.7...

Score: 8.8

CVE-2026-1490

CRITICAL

The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an autho...

Score: 9.8

CVE-2026-2312

MEDIUM

The Media Library Folders plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 8.3.6 via the d...

Score: 4.3

CVE-2026-1512

MEDIUM

The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the p...

Score: 6.4

CVE-2026-1843

HIGH

The Super Page Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Activity Log in all versions up to, and including, 5.2....

Score: 7.2

Share CVE-2026-1400

Share on Social Media

Copy Link

Embed Code

Request Expert Analysis

Request a professional security analysis for CVE-2026-1400 from our verified experts.

Credits System

Use your credits to get expert analysis from verified security professionals. Purchase more credits anytime!

Add 3 credits for accelerated delivery

Base Cost: 8 credits
Priority Upgrade: + credits
SLA Acceleration: +3 credits
Total Cost:
Your Balance:

Insufficient Credits

You need more credits to submit this request.

Buy Credits

Report Analysis