CVE-2025-6206: 
WordPress vulnerability analysis and mitigation

The Aiomatic - Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit plugin for WordPress contains a vulnerability (CVE-2025-6206) discovered in June 2025. The vulnerability affects all versions up to and including 2.5.0, allowing authenticated attackers with Subscriber-level access or higher to perform arbitrary file uploads through the 'aiomatic_image_editor_ajax_submit' function (NVD, Wiz).

The vulnerability stems from missing file type validation in the 'aiomatic_image_editor_ajax_submit' function. To exploit the vulnerability, an attacker needs to be authenticated with at least Subscriber-level access and provide any arbitrary value for the Stability.AI API key. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 HIGH (Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) and is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD).

The vulnerability enables authenticated attackers to upload arbitrary files to the affected WordPress site's server, which could potentially lead to remote code execution. This gives attackers the ability to execute malicious code on the target system, potentially compromising the entire WordPress installation (Wiz).

Website administrators running the Aiomatic plugin should immediately update to a version newer than 2.5.0 if available. If an update is not available, it is recommended to disable the plugin until a patch is released, especially in environments where lower-privileged users (Subscribers) have access to the system (Wiz).