CVE-2025-7780: 
WordPress vulnerability analysis and mitigation

The AI Engine plugin for WordPress contains a Sensitive Information Exposure vulnerability (CVE-2025-7780) affecting all versions up to and including 2.9.4. The vulnerability was discovered and publicly disclosed on July 23, 2025 (NVD).

The vulnerability exists in the simpleTranscribeAudio endpoint which fails to properly restrict URL schemes before calling the get_audio() function. This implementation flaw has been assigned a CVSS v3.1 score of 6.5 (Medium) and is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD, Wordfence).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to read any file on the web server and exfiltrate it through the plugin's OpenAI API integration. This could lead to unauthorized access to sensitive server files and data exposure (NVD).

The vulnerability has been patched in version 2.9.5 of the AI Engine plugin. The update implements proper URL scheme validation in the audio transcription feature and adds sanitization of REST API parameters to prevent API key misuse. Users are advised to update to version 2.9.5 immediately (WordPress Plugin).