CVE-2024-13361
Published: 22 January 2025
Summary
CVE-2024-13361 is a medium-severity Missing Authorization (CWE-862) vulnerability in Aipower Aipower. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 43.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Other ATLAS/OWASP Terms risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to the wpaicg_save_image_media function, directly mitigating the missing capability check that allows Subscriber-level users to upload images with executable shortcode attributes.
Applies least privilege to restrict low-privilege authenticated users like Subscribers from accessing file upload functions that enable embedding and execution of shortcodes.
Facilitates timely identification, reporting, and patching of the specific flaw in AI Power plugin versions up to 1.8.96, as addressed in WordPress plugin trac changeset 3224162.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables low-privileged users to bypass capability checks for image uploads and shortcode injection in alt text, facilitating privilege escalation (T1068), ingress tool transfer via unauthorized uploads (T1105), exploitation of public-facing web application (T1190), and web shell deployment through executable shortcodes on attachment pages (T1505.003).
NVD Description
The AI Power: Complete AI Pack plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpaicg_save_image_media function in all versions up to, and including, 1.8.96. This makes it possible for authenticated attackers, with…
more
Subscriber-level access and above, to upload image files and embed shortcode attributes in the image_alt value that will execute when sending a POST request to the attachment page.
Deeper analysisAI
CVE-2024-13361 is an unauthorized access vulnerability in the AI Power: Complete AI Pack plugin for WordPress, affecting all versions up to and including 1.8.96. The issue arises from a missing capability check on the wpaicg_save_image_media function, classified under CWE-862 (Missing Authorization). It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity with low-privilege network access.
Authenticated attackers with Subscriber-level access or higher can exploit the vulnerability by sending a POST request to upload image files. They can embed shortcode attributes in the image_alt value of the uploaded images, which execute upon sending a POST request to the attachment page, potentially leading to limited confidentiality, integrity, and availability impacts.
Advisories reference a patch in WordPress plugin trac changeset 3224162, which modifies the wpaicg_image.php file in the plugin trunk. Wordfence provides additional threat intelligence details at their vulnerability page.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- The vulnerability affects the 'AI Power: Complete AI Pack' WordPress plugin, which provides AI functionalities such as content generation and image handling, fitting the Enterprise AI Assistants category as an integrated AI solution for content management platforms.