CVE-2024-13714: 
WordPress vulnerability analysis and mitigation

The All-Images.ai – IA Image Bank and Custom Image creation plugin for WordPress contains a vulnerability identified as CVE-2024-13714. The vulnerability was disclosed on February 12, 2025, affecting all versions up to and including 1.0.4. This security flaw is related to arbitrary file uploads due to missing file type validation in the 'getimagebyurl' function (NVD Database).

The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). It has received a CVSS v3.1 Base Score of 8.8 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. This indicates a network-accessible vulnerability with low attack complexity, requiring low privileges, and no user interaction, potentially resulting in high impacts to confidentiality, integrity, and availability (NVD Database).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to upload arbitrary files to the affected site's server. This capability could potentially lead to remote code execution, giving attackers significant control over the compromised system (NVD Database).

Users should update their All-Images.ai plugin to a version newer than 1.0.4 if available. Given the severity of the vulnerability, site administrators should consider disabling the plugin until a patch is applied (NVD Database).