WordPress AI Engine Plugin Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in the AI Engine plugin for WordPress, affecting all versions through 3.3.2. The vulnerability arises in the 'get_audio' function, allowing authenticated attackers with Subscriber-level access and above to make web requests to arbitrary locations from the web application. This could be exploited to query and modify information from internal services, provided that the 'Public API' option is enabled in the plugin settings and 'allow_url_fopen' is activated on the server.

Impact

Exploitation of this vulnerability allows for server-side request forgery, enabling attackers to make requests to internal services and potentially manipulate or access sensitive information.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can use the 'get_audio' function in the AI Engine plugin. This can be done by uploading an audio file or providing a URL that points to an audio file. If 'Public API' is enabled in the plugin settings and 'allow_url_fopen' is turned on at the server level, the vulnerability can be exploited by the uploaded file or URL being processed by the 'get_audio' function, which will then make a request to the specified location.

Remediation

Users are advised to update the AI Engine plugin to version 3.3.3 or later, where this vulnerability has been patched.