CVE-2026-12511

WordPress · AI Engine

The AI Engine WordPress plugin before 3.5.5 allows authenticated users with editor access to perform path traversal and write arbitrary files to the server.

Executive summary

A path traversal vulnerability in the AI Engine WordPress plugin allows authenticated attackers to execute arbitrary file writes on the host server.

Vulnerability

The plugin fails to sanitize user supplied filenames during file downloads, which permits authenticated users with editor level privileges to perform path traversal and write attacker controlled bytes to arbitrary locations on the server filesystem.

Business impact

This vulnerability poses a significant risk to server integrity, as an attacker with editor access can overwrite critical system or application files. Given the CVSS score of 8.1, this is classified as a high severity issue that could lead to full system compromise if the attacker successfully uploads or overwrites executable code.

Remediation

Immediate Action: Update the AI Engine plugin to version 3.5.5 or later immediately.

Proactive Monitoring: Review access logs for suspicious file upload activity or requests containing path traversal sequences, such as dot dot slash patterns.

Compensating Controls: Ensure that the web server process runs with the least privilege necessary to limit the impact of potential arbitrary file writes.

Exploitation status

Public Exploit Available: No (no confirmed public exploit in available data)

Analyst recommendation

The ability for an authenticated user to perform arbitrary file writes represents a critical failure in input validation. Administrators should prioritize updating the AI Engine plugin to version 3.5.5 to eliminate this path traversal vector and prevent potential remote code execution scenarios.