AI Engine for WordPress ChatGPT Plugin Arbitrary File Read Vulnerability

A vulnerability allowing arbitrary file read has been identified in the AI Engine for WordPress: ChatGPT, GPT Content Generator plugin, affecting all versions through 1.0.1. The issue arises from inadequate validation of user-supplied file paths in the 'lqdai_update_post' AJAX endpoint. Additionally, the 'insert_image()' function permits the use of 'file_get_contents()' with user-controlled URLs lacking protocol restrictions, enabling authenticated attackers with Contributor-level access and above to read arbitrary files from the server, potentially exposing sensitive information.

Impact

Exploitation of this vulnerability allows authenticated users with post editing capabilities to read sensitive files from the server, such as the WordPress configuration file, wp-config.php, which contains database credentials and other critical information.

Reproduction

To reproduce this vulnerability, log into WordPress as a Contributor or any user with post editing rights. Create a new post draft to obtain a post ID. Then, intercept a request to '/wp-admin/admin-ajax.php' that calls the 'lqdai_update_post' action. Modify the request to include a 'file://' URL in the 'posts[image]' parameter, targeting a file like '/var/www/html/wp-config.php'. Once the request is sent, the file will be downloaded to the uploads directory, accessible via the WordPress uploads URL.