CVE-2024-12471
Published: 07 January 2025
Description
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Security Summary
CVE-2024-12471 affects the Post Saint: ChatGPT, GPT4, DALL-E, Stable Diffusion, Pexels, Dezgo AI Text & Image Generator plugin for WordPress, specifically in all versions up to and including 1.3.1. The vulnerability stems from a missing capability check and file type validation in the add_image_to_library AJAX action function, enabling arbitrary file uploads. It has been assigned a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-94 (Code Injection).
Authenticated attackers with subscriber-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. By leveraging the flawed AJAX endpoint, they can upload arbitrary files, potentially leading to remote code execution on the targeted WordPress site.
Mitigation details are available in advisories from Wordfence and the plugin's WordPress.org page, which security practitioners should consult for patch information or updates beyond version 1.3.1. The CVE was published on 2025-01-07.
Details
- CWE(s)
AI Security Analysis
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- MITRE ATLAS Techniques
- None mapped
- Classification Reason
- The vulnerability affects a WordPress plugin that integrates multiple AI services (ChatGPT, GPT-4, DALL-E, Stable Diffusion, Dezgo) for text and image generation, fitting as an AI integration platform.
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Arbitrary file upload vulnerability in public-facing WordPress plugin enables exploitation (T1190), ingress tool/malware transfer (T1105), and web shell deployment for RCE (T1505.003).