Cyber Resilience

CVE-2024-13361

Medium

Published: 22 January 2025

Published
22 January 2025
Modified
24 January 2025
KEV Added
Patch
CVSS Score v3.1 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0021 43.8th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13361 is a medium-severity Missing Authorization (CWE-862) vulnerability in Aipower Aipower. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 43.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other Platforms; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2024-13361 is an unauthorized access vulnerability in the AI Power: Complete AI Pack plugin for WordPress, affecting all versions up to and including 1.8.96. The issue arises from a missing capability check on the wpaicg_save_image_media function, classified under CWE-862 (Missing Authorization). It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity with low-privilege network access.

Authenticated attackers with Subscriber-level access or higher can exploit the vulnerability by sending a POST request to upload image files. They can embed shortcode attributes in the image_alt value of the uploaded images, which execute upon sending a POST request to the attachment page, potentially leading to limited confidentiality, integrity, and availability impacts.

Advisories reference a patch in WordPress plugin trac changeset 3224162, which modifies the wpaicg_image.php file in the plugin trunk. Wordfence provides additional threat intelligence details at their vulnerability page.

EU & UK References

Vulnerability details

The AI Power: Complete AI Pack plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpaicg_save_image_media function in all versions up to, and including, 1.8.96. This makes it possible for authenticated attackers, with…

more

Subscriber-level access and above, to upload image files and embed shortcode attributes in the image_alt value that will execute when sending a POST request to the attachment page.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Vulnerability enables low-privileged users to bypass capability checks for image uploads and shortcode injection in alt text, facilitating privilege escalation (T1068), ingress tool transfer via unauthorized uploads (T1105), exploitation of public-facing web application (T1190), and web shell deployment through executable shortcodes on attachment pages (T1505.003).

CVEs Like This One

CVE-2025-0429Same product: Aipower Aipower
CVE-2025-0428Same product: Aipower Aipower
CVE-2025-10690Shared CWE-862
CVE-2025-5394Shared CWE-862
CVE-2025-1307Shared CWE-862
CVE-2026-5464Shared CWE-862
CVE-2026-4326Shared CWE-862
CVE-2024-7767Shared CWE-862
CVE-2024-8999Shared CWE-862
CVE-2015-10140Shared CWE-862

Affected Assets

aipower
aipower
≤ 1.8.97

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to the wpaicg_save_image_media function, directly mitigating the missing capability check that allows Subscriber-level users to upload images with executable shortcode attributes.

prevent

Applies least privilege to restrict low-privilege authenticated users like Subscribers from accessing file upload functions that enable embedding and execution of shortcodes.

prevent

Facilitates timely identification, reporting, and patching of the specific flaw in AI Power plugin versions up to 1.8.96, as addressed in WordPress plugin trac changeset 3224162.

References