{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8268", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-27T14:53:48.378Z", "datePublished": "2025-09-03T20:24:15.668Z", "dateUpdated": "2026-04-08T17:19:09.687Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:19:09.687Z"}, "affected": [{"vendor": "tigroumeow", "product": "AI Engine \u2013 The Chatbot, AI Framework & MCP for WordPress", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.9.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The AI Engine plugin for WordPress is vulnerable to unauthorized access and loss of data due to a missing capability check on the rest_list and delete_files functions in all versions up to, and including, 2.9.5. This makes it possible for unauthenticated attackers to list and delete files uploaded by other users."}], "title": "Ai Engine <= 2.9.5 - Missing Authorization to Unauthenticated Uploaded Files Disclosure And Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/be39e24f-d7d7-44db-9ffd-a4605de8e577?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ai-engine/tags/2.9.5/classes/modules/files.php#L645"}, {"url": "https://plugins.trac.wordpress.org/browser/ai-engine/tags/2.9.5/classes/modules/files.php#L518"}, {"url": "https://plugins.trac.wordpress.org/browser/ai-engine/tags/2.9.5/classes/modules/files.php#L664"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "ISMAILSHADOW"}], "timeline": [{"time": "2025-07-14T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-07-27T15:09:14.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-09-03T07:55:41.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-03T20:47:06.228438Z", "id": "CVE-2025-8268", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-03T20:47:15.585Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8268", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-03T20:47:06.228438Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-03T20:47:10.761Z"}}], "cna": {"title": "Ai Engine <= 2.9.5 - Missing Authorization to Unauthenticated Uploaded Files Disclosure And Deletion", "credits": [{"lang": "en", "type": "finder", "value": "ISMAILSHADOW"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "tigroumeow", "product": "AI Engine \u2013 The Chatbot, AI Framework & MCP for WordPress", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.9.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-14T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-07-27T15:09:14.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-09-03T07:55:41.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/be39e24f-d7d7-44db-9ffd-a4605de8e577?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ai-engine/tags/2.9.5/classes/modules/files.php#L645"}, {"url": "https://plugins.trac.wordpress.org/browser/ai-engine/tags/2.9.5/classes/modules/files.php#L518"}, {"url": "https://plugins.trac.wordpress.org/browser/ai-engine/tags/2.9.5/classes/modules/files.php#L664"}], "descriptions": [{"lang": "en", "value": "The AI Engine plugin for WordPress is vulnerable to unauthorized access and loss of data due to a missing capability check on the rest_list and delete_files functions in all versions up to, and including, 2.9.5. This makes it possible for unauthenticated attackers to list and delete files uploaded by other users."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:19:09.687Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8268", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:19:09.687Z", "dateReserved": "2025-07-27T14:53:48.378Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-03T20:24:15.668Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The AI Engine plugin for WordPress is vulnerable to unauthorized access and loss of data due to a missing capability check on the rest_list and delete_files functions in all versions up to, and including, 2.9.5. This makes it possible for unauthenticated attackers to list and delete files uploaded by other users."}], "id": "CVE-2025-8268", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-03T21:15:33.357", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ai-engine/tags/2.9.5/classes/modules/files.php#L518"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ai-engine/tags/2.9.5/classes/modules/files.php#L645"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ai-engine/tags/2.9.5/classes/modules/files.php#L664"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/be39e24f-d7d7-44db-9ffd-a4605de8e577?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T19:44:32.359855+00:00", "value": {"mitigation_remediation": ["Upgrade the AI Engine plugin to the latest version that includes the missing capability check (\u2265\u202f2.9.6).", "Restrict access to the rest_list and delete_files REST endpoints so that only authenticated users with the appropriate capabilities can invoke them, for example by configuring a security plugin or adding custom access rules.", "If an immediate upgrade is not possible, audit the site's uploaded files, delete any that may have been exposed or corrupted, and restore from backups if available."], "summary": {"action": "Update Plugin", "impact": "Unauthorized data disclosure and deletion via missing authorization checks"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the AI Engine \u2013 The Chatbot, AI Framework & MCP for WordPress plugin, versions up to and including 2.9.5 are affected.", "description_and_impact": "The AI Engine plugin for WordPress lets an unauthenticated attacker list and delete files that other users have uploaded because a capability check is missing in the rest_list and delete_files functions. This flaw can compromise the confidentiality of user\u2013uploaded content and damage integrity by removing legitimate files. It represents a classic missing authorization weakness (CWE\u2011862).", "risk_and_exploitability": "With a CVSS score of 6.5 the vulnerability is moderate, but its EPSS score of <1\u202f% indicates a very low exploitation likelihood. The flaw is not listed in the CISA KEV catalog. Attackers would need to hit the vulnerable REST endpoints, which are currently accessible to anyone, and then supply the appropriate file identifiers to list or delete them. Because authentication is bypassed, the impact is limited primarily to the files owned by other users on the same site."}}}}, "created": "2025-09-04T13:12:16.218187+00:00", "updated": "2026-04-20T19:45:15.514681+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}