CVE-2025-7847
Published: 31 July 2025
Summary
CVE-2025-7847 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The AI Engine plugin for WordPress contains an arbitrary file upload vulnerability in versions 2.9.3 and 2.9.4. The flaw stems from missing file type validation inside the rest_simpleFileUpload() function, which is reachable through the plugin’s REST API endpoints and is tracked as CWE-434.
Authenticated users with Subscriber-level privileges or higher can exploit the issue when the REST API is enabled. Successful exploitation permits upload of arbitrary files to the server, which may be leveraged for remote code execution and yields a CVSS 3.1 score of 8.8.
Public references, including WordPress plugin trac changesets and the Wordfence advisory, document code fixes that restore file-type checks; site administrators should apply the latest plugin release to eliminate the exposure. The associated EPSS score has remained flat at 0.0164 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23233
Vulnerability details
The AI Engine plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the rest_simpleFileUpload() function in versions 2.9.3 and 2.9.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to…
more
upload arbitrary files on the affected site's server when the REST API is enabled, which may make remote code execution possible.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload in WordPress AI Engine plugin enables exploitation of public-facing application (T1190) and facilitates uploading web shells for remote code execution (T1100) and persistence (T1505.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of information inputs such as file types during uploads, addressing the missing file type validation in rest_simpleFileUpload().
Mandates identification, reporting, and timely remediation of software flaws like this arbitrary file upload vulnerability through patching affected plugin versions.
Enforces restrictions on classes of information inputs to block dangerous file types, mitigating unrestricted uploads of arbitrary files via the REST API.