CVE-2024-0699
Published: 05 February 2024
Summary
CVE-2024-0699 is a medium-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Meowapps Ai Engine. Its CVSS base score is 6.6 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Supply Chain and Deployment risk domain.
Deeper analysis
The AI Engine plugin for WordPress, which provides chatbots, content generators, and GPT-based assistants, contains an arbitrary file upload vulnerability in all versions through 2.1.4. The flaw stems from missing file-type validation inside the add_image_from_url function (CWE-434), allowing an attacker to place arbitrary files on the server. The issue received a CVSS 6.6 rating reflecting the need for high privileges and high attack complexity.
Authenticated users holding the Editor role or above can exploit the weakness over the network to upload malicious files, which may subsequently enable remote code execution on the affected site. CVE-2024-29100 is noted as a likely duplicate of the same problem.
Public references include a Wordfence threat-intelligence entry and the WordPress plugin repository changeset 3021494 that patches classes/core.php. The EPSS score has remained flat at 0.0712 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-16489
Vulnerability details
The AI Engine: Chatbots, Generators, Assistants, GPT 4 and more! plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'add_image_from_url' function in all versions up to, and including, 2.1.4. This makes it…
more
possible for authenticated attackers, with Editor access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. CVE-2024-29100 is likely a duplicate of this issue.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- The vulnerability affects the 'AI Engine: Chatbots, Generators, Assistants, GPT 4 and more!' WordPress plugin, which provides AI-powered chatbots, generators, and assistants, fitting the Enterprise AI Assistants category as it integrates AI features like GPT-4 into enterprise WordPress deployments.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables authenticated exploitation of a public-facing WordPress plugin (T1190) via arbitrary file upload lacking type validation, facilitating web shell deployment for remote code execution (T1100, T1505.003).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.
Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.
Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.
Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.