CVE-2023-51409
published 2024-04-12CVE-2023-51409: Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot.This issue affects AI Engine: ChatGPT Chatbot: from n/a…
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
63.33%
99.1th percentile
Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot.This issue affects AI Engine: ChatGPT Chatbot: from n/a through 1.9.98.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jordy_meow | ai_engine_chatgpt_chatbot | n/a – 1.9.98 | — |
| meowapps | ai_engine | < 1.9.99 | 1.9.99 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to the WordPress REST API endpoint /wp-json/mwai-ui/v1/files/upload — no authentication headers are required, making any such request from an external source suspicious. ↗
- →Look for multipart/form-data upload requests containing a .php filename in the Content-Disposition header targeting the AI Engine plugin endpoint. ↗
- →A successful exploit returns HTTP 200 with a JSON body containing both '"success":true' and the uploaded .php filename — monitor HTTP responses from the upload endpoint for this pattern. ↗
- →Presence of the plugin path /wp-content/plugins/ai-engine/ on a WordPress site indicates a potentially vulnerable installation; correlate with version <= 1.9.98. ↗
- ·The vulnerability affects AI Engine: ChatGPT Chatbot versions from n/a through 1.9.98 only; version 1.9.99 and later are patched. Detections should be scoped to sites running vulnerable versions. ↗
- ·The exploit is unauthenticated (PR:N), meaning no credentials or session tokens are needed — WAF/IDS rules should not require authentication context to fire on this endpoint. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c4qr-mpj2-hxhr: Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot
ghsa_unreviewed·2024-04-12
CVE-2023-51409 [CRITICAL] CWE-434 GHSA-c4qr-mpj2-hxhr: Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot
Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot.This issue affects AI Engine: ChatGPT Chatbot: from n/a through 1.9.98.
VulnCheck
AI Engine: ChatGPT Chatbot Plugin File Upload Vulnerability
vulncheck·2023·CVSS 10.0
CVE-2023-51409 [CRITICAL] AI Engine: ChatGPT Chatbot Plugin File Upload Vulnerability
AI Engine: ChatGPT Chatbot Plugin File Upload Vulnerability
Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot.This issue affects AI Engine: ChatGPT Chatbot: from n/a through 1.9.98.
Affected: AI Engine: ChatGPT Chatbot AI Engine: ChatGPT Chatbot Plugin
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/vulnerability/ai-engine/wordpress-ai-engine-plugin-1-9-98-unauthenticated-arbitrary-file-upload-vulnerability?_s_id=cve; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-06-05&host_type=src&vulnerability=cve-2023-51409; https://dashboard.shado
No detection rules found.
Nuclei
Jordy Meow AI Engine - Unrestricted File Upload
nuclei·CVSS 9.8
CVE-2023-51409 [CRITICAL] Jordy Meow AI Engine - Unrestricted File Upload
Jordy Meow AI Engine - Unrestricted File Upload
Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine- ChatGPT Chatbot.This issue affects AI Engine- ChatGPT Chatbot- from n/a through 1.9.98.
Template:
id: CVE-2023-51409
info:
name: Jordy Meow AI Engine - Unrestricted File Upload
author: pussycat0x
severity: critical
description: |
Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine- ChatGPT Chatbot.This issue affects AI Engine- ChatGPT Chatbot- from n/a through 1.9.98.
impact: |
Unauthenticated attackers can upload files of dangerous types without restriction, potentially leading to remote code execution and complete system compromise.
remediation: |
Update AI Engine plugin to version 1.9.99 or later.
reference:
- https:
https://patchstack.com/database/vulnerability/ai-engine/wordpress-ai-engine-plugin-1-9-98-unauthenticated-arbitrary-file-upload-vulnerability?_s_id=cvehttps://github.com/JoshuaProvoste/0-click-RCE-Exploit-for-CVE-2023-51409https://patchstack.com/database/vulnerability/ai-engine/wordpress-ai-engine-plugin-1-9-98-unauthenticated-arbitrary-file-upload-vulnerability?_s_id=cve
2024-04-12
Published
Exploited in the wild