CVE-2026-1400
Published: 28 January 2026
Summary
CVE-2026-1400 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Web Shell (T1505.003); ranked at the 29.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other AI Platforms.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.
Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.
Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.
Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload via missing validation directly enables web shell deployment (T1505.003) on a public-facing WordPress application (T1190), resulting in RCE.
NVD Description
The AI Engine – The Chatbot and AI Framework for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the `rest_helpers_update_media_metadata` function in all versions up to, and including, 3.3.2. This makes…
more
it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The attacker can upload a benign image file, then use the `update_media_metadata` endpoint to rename it to a PHP file, creating an executable PHP file in the uploads directory.
Deeper analysisAI
CVE-2026-1400 is an arbitrary file upload vulnerability in the AI Engine – The Chatbot and AI Framework for WordPress plugin, affecting all versions up to and including 3.3.2. The flaw arises from missing file type validation in the `rest_helpers_update_media_metadata` function, classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H) and was published on 2026-01-28.
Authenticated attackers with Editor-level access or higher can exploit the vulnerability by uploading a benign image file and then leveraging the `update_media_metadata` REST endpoint to rename it as a PHP file in the WordPress uploads directory. This allows creation of an executable PHP file on the server, potentially leading to remote code execution.
References to the vulnerable code appear in the plugin's trac browser for version 3.3.0 at lines 1104 and 1141 of classes/rest.php, with a fix applied in changeset 3447500 to the trunk. The Wordfence threat intelligence page provides further details on the issue.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, ai