CVE-2026-23802
Published: 05 March 2026
Summary
CVE-2026-23802 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Web Shell (T1505.003); ranked at the 36.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-23802 is an Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434) in the AI Engine WordPress plugin developed by Jordy Meow. The flaw affects all versions of the ai-engine plugin from n/a through 3.3.2 and enables the use of malicious files through unrestricted file uploads.
The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating it can be exploited remotely with low complexity by an authenticated attacker possessing high privileges, such as administrator access, and without requiring user interaction. Successful exploitation results in high impacts to confidentiality, integrity, and availability, accompanied by a scope change, allowing attackers to upload arbitrary malicious files that could lead to full system compromise.
Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/ai-engine/vulnerability/wordpress-ai-engine-plugin-3-3-2-arbitrary-file-upload-vulnerability?_s_id=cve details this arbitrary file upload issue in AI Engine version 3.3.2 and provides guidance on mitigation for affected WordPress installations.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9598
Vulnerability details
Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine ai-engine allows Using Malicious Files.This issue affects AI Engine: from n/a through <= 3.3.2.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload of dangerous types (CWE-434) directly enables web shell deployment for remote code execution and persistence on the compromised WordPress server.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Information Input Validation directly enforces checks on uploaded files to reject dangerous types, preventing exploitation of the unrestricted file upload vulnerability.
Flaw Remediation requires timely patching of the AI Engine plugin vulnerability, eliminating the unrestricted upload flaw across affected versions.
Malicious Code Protection scans and blocks execution of uploaded malicious files, mitigating impacts even if dangerous uploads occur.