Cyber Resilience

CVE-2024-0699

Medium

Published: 05 February 2024

Published
05 February 2024
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0712 91.7th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-0699 is a medium-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Meowapps Ai Engine. Its CVSS base score is 6.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Supply Chain and Deployment risk domain.

Deeper analysis

The AI Engine plugin for WordPress, which provides chatbots, content generators, and GPT-based assistants, contains an arbitrary file upload vulnerability in all versions through 2.1.4. The flaw stems from missing file-type validation inside the add_image_from_url function (CWE-434), allowing an attacker to place arbitrary files on the server. The issue received a CVSS 6.6 rating reflecting the need for high privileges and high attack complexity.

Authenticated users holding the Editor role or above can exploit the weakness over the network to upload malicious files, which may subsequently enable remote code execution on the affected site. CVE-2024-29100 is noted as a likely duplicate of the same problem.

Public references include a Wordfence threat-intelligence entry and the WordPress plugin repository changeset 3021494 that patches classes/core.php. The EPSS score has remained flat at 0.0712 with no material increase after disclosure.

EU & UK References

Vulnerability details

The AI Engine: Chatbots, Generators, Assistants, GPT 4 and more! plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'add_image_from_url' function in all versions up to, and including, 2.1.4. This makes it…

more

possible for authenticated attackers, with Editor access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. CVE-2024-29100 is likely a duplicate of this issue.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
The vulnerability affects the 'AI Engine: Chatbots, Generators, Assistants, GPT 4 and more!' WordPress plugin, which provides AI-powered chatbots, generators, and assistants, fitting the Enterprise AI Assistants category as it integrates AI features like GPT-4 into enterprise WordPress deployments.

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Vulnerability enables authenticated exploitation of a public-facing WordPress plugin (T1190) via arbitrary file upload lacking type validation, facilitating web shell deployment for remote code execution (T1100, T1505.003).

Affected Assets

meowapps
ai engine
≤ 2.1.4

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-434

Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.

addresses: CWE-434

Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.

addresses: CWE-434

Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.

addresses: CWE-434

Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.

References