Summary: Website owners using the AI Power: Complete AI Pack plugin must urgently update to the latest version to fix a critical vulnerability (CVE-2024-10392) that could allow attackers to take over their sites. The flaw, with a CVSS score of 9.8, enables unauthenticated file uploads, potentially leading to malicious code execution.
Threat Actor: Unauthenticated attackers | unauthenticated attackers
Victim: Website owners using the plugin | AI Power: Complete AI Pack plugin
Key Point :
- Vulnerability allows arbitrary file uploads due to inadequate file type validation.
- Attackers can execute malicious PHP code by disguising it as image files.
- Consequences include website defacement, data breaches, malware distribution, and SEO manipulation.
- Security researcher vgo0 discovered the flaw and received a $650 bounty for reporting it.
- Users are advised to update to version 1.8.90 to mitigate the risk.
Website owners using the AI Power: Complete AI Pack plugin are urged to update to the latest version immediately to patch a critical vulnerability that could lead to complete site takeover.
The flaw, tracked as CVE-2024-10392 and assigned a CVSS score of 9.8, allows unauthenticated attackers to upload arbitrary files to vulnerable websites. This could enable them to execute malicious code and gain full control of the site.
The vulnerability stems from a lack of file type validation in the plugin’s handle_image_upload function. This function, used for handling image uploads in chats with GPT-4 models, fails to adequately check the type of file being uploaded. As a result, attackers can upload files with malicious PHP code disguised as images.
Since the uploaded files are stored in the publicly accessible WordPress uploads folder, attackers can then execute this code and compromise the entire website.
Successful exploitation of this vulnerability could have devastating consequences, including:
- Website Defacement: Attackers could alter the website’s content or appearance.
- Data Breaches: Sensitive user data, including login credentials and financial information, could be stolen.
- Malware Distribution: Attackers could use the compromised website to distribute malware to unsuspecting visitors.
- Search Engine Ranking Manipulation: Attackers could manipulate the website’s SEO to harm its search engine rankings.
Security researcher vgo0 discovered and responsibly disclosed this vulnerability through the Wordfence Bug Bounty Program, earning a bounty of $650 for their efforts.
The developers of AI Power: Complete AI Pack have addressed this vulnerability in version 1.8.90. All users are strongly advised to update to this version immediately.