CVE-2025-7847: 
WordPress vulnerability analysis and mitigation

The AI Engine plugin for WordPress (versions 2.9.3 and 2.9.4) contains an arbitrary file upload vulnerability in the rest_simpleFileUpload() function. The vulnerability exists due to missing file type validation, allowing authenticated attackers with Subscriber-level access or higher to upload arbitrary files to the affected site's server when the REST API is enabled. This vulnerability was discovered by ISMAILSHADOW and publicly disclosed on July 30, 2025 (NVD).

The vulnerability exists in the rest_simpleFileUpload() function within the API class of the AI Engine plugin. The function lacks proper file type validation for uploaded files, which allows attackers to bypass intended upload restrictions. The vulnerability has been assigned a CVSS v3.1 score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue has been classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD, Wordfence).

The vulnerability could allow authenticated attackers to upload malicious files to the server, potentially leading to remote code execution. Since the vulnerability only requires Subscriber-level access, which is often easily obtainable on WordPress sites that allow user registration, the potential impact is significant (NVD).

Site administrators should immediately update the AI Engine plugin to version 2.9.5 or later, which contains a fix for this vulnerability. If immediate updating is not possible, administrators should consider temporarily disabling the REST API or restricting access to the affected endpoints until the update can be applied (NVD).