{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23802", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-16T14:15:17.504Z", "datePublished": "2026-03-05T05:53:49.148Z", "dateUpdated": "2026-04-28T16:14:47.357Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "ai-engine", "product": "AI Engine", "vendor": "Jordy Meow", "versions": [{"changes": [{"at": "3.3.3", "status": "unaffected"}], "lessThanOrEqual": "3.3.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "0xd4rk5id3 | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:32.658Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine ai-engine allows Using Malicious Files.<p>This issue affects AI Engine: from n/a through <= 3.3.2.</p>"}], "value": "Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine ai-engine allows Using Malicious Files.This issue affects AI Engine: from n/a through <= 3.3.2."}], "impacts": [{"capecId": "CAPEC-17", "descriptions": [{"lang": "en", "value": "Using Malicious Files"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:47.357Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/ai-engine/vulnerability/wordpress-ai-engine-plugin-3-3-2-arbitrary-file-upload-vulnerability?_s_id=cve"}], "title": "WordPress AI Engine plugin <= 3.3.2 - Arbitrary File Upload vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T19:35:59.795276Z", "id": "CVE-2026-23802", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:44:23.105Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23802", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T19:35:59.795276Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T19:33:06.316Z"}}], "cna": {"title": "WordPress AI Engine plugin <= 3.3.2 - Arbitrary File Upload vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "0xd4rk5id3 | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-17", "descriptions": [{"lang": "en", "value": "Using Malicious Files"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Jordy Meow", "product": "AI Engine", "versions": [{"status": "affected", "changes": [{"at": "3.3.3", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "3.3.2"}], "packageName": "ai-engine", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-28T13:26:14.290Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/ai-engine/vulnerability/wordpress-ai-engine-plugin-3-3-2-arbitrary-file-upload-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine ai-engine allows Using Malicious Files.This issue affects AI Engine: from n/a through <= 3.3.2.", "supportingMedia": [{"type": "text/html", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine ai-engine allows Using Malicious Files.<p>This issue affects AI Engine: from n/a through <= 3.3.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:44.629Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23802", "state": "PUBLISHED", "dateUpdated": "2026-04-28T15:44:23.105Z", "dateReserved": "2026-01-16T14:15:17.504Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-05T05:53:49.148Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine ai-engine allows Using Malicious Files.This issue affects AI Engine: from n/a through <= 3.3.2."}, {"lang": "es", "value": "Vulnerabilidad de carga sin restricciones de archivo con tipo peligroso en Jordy Meow AI Engine ai-engine permite el uso de archivos maliciosos. Este problema afecta a AI Engine: desde n/a hasta &lt;= 3.3.2."}], "id": "CVE-2026-23802", "lastModified": "2026-04-22T21:26:58.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:22.763", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/ai-engine/vulnerability/wordpress-ai-engine-plugin-3-3-2-arbitrary-file-upload-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.3.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AI Engine", "source": "cna", "vendor": "Jordy Meow"}, "product": "ai-engine", "vendor": "jordy_meow"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-17T12:51:30.319293+00:00", "value": {"mitigation_remediation": ["Update the AI Engine plugin to version 3.3.3 or newer, which removes the uncontrolled file upload functionality.", "If an upgrade cannot be performed immediately, restrict the upload feature to administrative users only and enforce strict MIME type checking to allow only safe file types.", "Configure the web server to serve uploaded files as static content and disable execution in the upload directory, preventing any embedded code from running."], "summary": {"action": "Immediate Patch", "impact": "Unrestricted File Upload"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to Jordy Meow AI Engine plugin versions up to 3.3.2. Any WordPress site running one of these versions of the plugin is at risk. The flaw exists in all installations regardless of theme or other plugins.", "description_and_impact": "The AI Engine plugin suffers from a lack of file type validation, allowing attackers to upload files that the system may handle as executable content. This flaw is classified as CWE\u2011434, and could let a malicious user place files that the WordPress installation might later execute or expose. Because the server may treat such uploads as downloadable or processor\u2011ready media, the attacker could potentially gain code execution, unauthorized data access, or disrupt site availability.", "risk_and_exploitability": "The rating for this vulnerability is 9.1 out of 10, categorizing it as critical. The exploitation probability is less than 1% according to current risk models, and the issue is not listed in the CISA KEV catalog. The likely attack vector is via the plugin\u2019s upload endpoint, where an attacker can supply a file that bypasses type checks. If successful, such a file could be processed or executed by the web server, making this a high\u2011impact risk for sites that use the affected plugin."}}}}, "created": "2026-03-06T15:13:49.318772+00:00", "updated": "2026-04-17T13:00:12.012394+00:00", "vendors": ["jordy_meow", "jordy_meow$PRODUCT$ai-engine", "wordpress", "wordpress$PRODUCT$wordpress"]}