CVE-2024-6451: 
WordPress vulnerability analysis and mitigation

The AI Engine WordPress plugin before version 2.5.1 contains a remote code execution (RCE) vulnerability via Log Poisoning. This vulnerability was discovered in version 2.4.3 and earlier versions, and was assigned CVE-2024-6451. The vulnerability affects the plugin's file extension validation mechanism for log files (WPScan, NVD).

The vulnerability stems from the plugin's failure to properly validate the file extension of 'logs_path', which allows administrators to modify log filetypes from .log to .php. This weakness enables attackers to manipulate error messages to contain arbitrary PHP code, which can then be echoed into the log file and executed as legitimate code by the web server. The vulnerability has been assigned a CVSS 3.1 base score of 7.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (WPScan).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code on the affected system with the web server's privileges. This can lead to complete system compromise, including the ability to read, write, or delete files, and potentially execute system commands (WPScan).

The vulnerability has been patched in AI Engine version 2.5.1. Users are strongly advised to update to this version or later to mitigate the risk (WPScan).