If your WordPress site uses the AI Engine plugin, now’s the time to pay attention. A new vulnerability has just been discovered in versions 2.9.3 and 2.9.4, making it the fifth reported flaw in this plugin so far this year. It’s being used on over 100,000 sites, which makes the issue hard to ignore.
The problem lies in how the plugin handles file uploads through its REST API. Basically, it doesn’t properly check what kind of file is being uploaded. That means even a user can upload potentially dangerous files like scripts if the REST API is active.
This isn’t some minor loophole as the plugin is rated 8.8 out of 10 in terms of severity.
Normally, when a file is uploaded, WordPress should confirm that the file type matches what it claims to be. A photo should not be disguised as a script trying to hijack your site. In this case, that validation step was skipped. A malicious user could upload a PHP file pretending to be an image and use it to run unauthorized code on your server.
What makes this more frustrating is that it’s not the first time. This plugin has had a string of issues last month as well. Last year wasn’t any better, with nine serious flaws reported, including one rated 9.8 that allowed anyone, even unauthenticated users, to upload harmful files. That kind of track record should raise red flags for anyone relying on this plugin.
The good news is that a fix has been released. Version 2.9.5 patches the vulnerability by adding stricter file checks. It also addresses another issue involving how URLs are handled in audio transcription features and tightens up how API keys are managed. The developers responded quickly, but the bigger lesson is that regular updates aren’t optional they’re necessary.
This whole situation also points to a bigger problem in the WordPress ecosystem. With more than 40% of the web running on WordPress, it’s an attractive target and plugins are the weak link.
Studies show that about 97% of WordPress security breaches come from plugin vulnerabilities, especially ones that haven’t been kept up to date.
If you’re using this plugin, update it immediately. Then take a hard look at your site setup.
Limit user roles, don’t give subscriber-level access unless it’s really needed. Disable REST API access unless there’s a specific reason to keep it on and then clean website: remove unused plugins and make sure the ones you keep are well-maintained and actively updated.
The bottom line is security isn’t just about keeping outsiders out. Sometimes, even a basic user role can be exploited if the system isn’t solid. What this plugin issue shows, once again, is that site security has to be proactive. You can’t just hope for the best. You have to build for the worst.
