Cyber Resilience

CVE-2026-23802

Critical

Published: 05 March 2026

Published
05 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0046 36.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-23802 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Shell (T1505.003); ranked at the 36.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-23802 is an Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434) in the AI Engine WordPress plugin developed by Jordy Meow. The flaw affects all versions of the ai-engine plugin from n/a through 3.3.2 and enables the use of malicious files through unrestricted file uploads.

The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating it can be exploited remotely with low complexity by an authenticated attacker possessing high privileges, such as administrator access, and without requiring user interaction. Successful exploitation results in high impacts to confidentiality, integrity, and availability, accompanied by a scope change, allowing attackers to upload arbitrary malicious files that could lead to full system compromise.

Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/ai-engine/vulnerability/wordpress-ai-engine-plugin-3-3-2-arbitrary-file-upload-vulnerability?_s_id=cve details this arbitrary file upload issue in AI Engine version 3.3.2 and provides guidance on mitigation for affected WordPress installations.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine ai-engine allows Using Malicious Files.This issue affects AI Engine: from n/a through <= 3.3.2.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Arbitrary file upload of dangerous types (CWE-434) directly enables web shell deployment for remote code execution and persistence on the compromised WordPress server.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-13882Shared CWE-434
CVE-2024-55417Shared CWE-434
CVE-2025-33015Shared CWE-434
CVE-2026-1400Shared CWE-434
CVE-2026-4808Shared CWE-434
CVE-2021-35485Shared CWE-434
CVE-2026-41269Shared CWE-434
CVE-2025-23942Shared CWE-434
CVE-2025-7847Shared CWE-434
CVE-2026-22241Shared CWE-434

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Information Input Validation directly enforces checks on uploaded files to reject dangerous types, preventing exploitation of the unrestricted file upload vulnerability.

prevent

Flaw Remediation requires timely patching of the AI Engine plugin vulnerability, eliminating the unrestricted upload flaw across affected versions.

preventdetect

Malicious Code Protection scans and blocks execution of uploaded malicious files, mitigating impacts even if dangerous uploads occur.

References