cbcvebase.
CVE-2024-10392
published 2024-10-31

CVE-2024-10392: The AI Power: Complete AI Pack plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'handle_image_upload'…

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
13.13%
95.9th percentile
The AI Power: Complete AI Pack plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'handle_image_upload' function in all versions up to, and including, 1.8.89. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affected

1 ranges
VendorProductVersion rangeFixed in
senolsai_puffer_your_ai_engine_for_wordpress<= 1.8.89

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability exists in the 'handle_image_upload' function of the AI Power: Complete AI Pack WordPress plugin, which performs no file type validation — monitor for unexpected file type uploads (e.g., PHP webshells) via this function on WordPress sites running the plugin.
  • The vulnerability is exploitable by unauthenticated attackers, so monitor for file upload requests to WordPress endpoints associated with the AI Power plugin from unauthenticated sessions.
  • Approximately 10,000 WordPress websites are running the vulnerable plugin; prioritize scanning and detection across WordPress environments for this plugin version.
  • ·All versions up to and including 1.8.89 of the AI Power: Complete AI Pack WordPress plugin are vulnerable; ensure patching to a version beyond 1.8.89.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.