CVE-2023-51409 Scanner
CVE-2023-51409 Scanner – Arbitrary File Upload in AI Engine WordPress Plugin
Short Info
Level
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
1 week 21 hours
Scan only one
Domain, Subdomain, IPv4
Toolbox
-
The Jordy Meow AI Engine – ChatGPT Chatbot plugin for WordPress integrates OpenAI’s ChatGPT and other AI models into websites to enable dynamic chatbot and content generation capabilities. This plugin is widely used for building intelligent, interactive features in WordPress environments without extensive coding.
However, in versions up to and including 1.9.98, the plugin is affected by a critical Unauthenticated Arbitrary File Upload vulnerability (CVE-2023-51409). The vulnerability exists within the `/wp-json/mwai-ui/v1/files/upload` endpoint, which accepts file uploads without proper validation or authentication. This allows attackers to upload files of any type, including executable PHP files, which can then be used to achieve Remote Code Execution (RCE).
The flaw stems from insufficient input sanitization and a lack of access control on the upload endpoint. A malicious actor can exploit this by sending a specially crafted HTTP POST request with a `.php` file disguised as a valid upload. Once uploaded, the file can be accessed and executed through the web server, resulting in a complete compromise of the website and potentially the underlying system.
This vulnerability is particularly dangerous because:
- No authentication is required.
- Attackers can upload and execute arbitrary code.
- The exploit is trivial and publicly available.
Sites running vulnerable versions are exposed to total compromise. Attackers can install web shells, gain admin access, exfiltrate data, or pivot further into internal networks. Due to the ease of exploitation and impact severity, this issue is rated as Critical with a CVSS v3.1 score of 9.8.
REFERENCES