CVE-2024-13361

Medium

Published: 22 January 2025

Published

22 January 2025

Modified

24 January 2025

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0021 43.5th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

Security Summary

CVE-2024-13361 is an unauthorized access vulnerability in the AI Power: Complete AI Pack plugin for WordPress, affecting all versions up to and including 1.8.96. The issue arises from a missing capability check on the wpaicg_save_image_media function, classified under CWE-862 (Missing Authorization). It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity with low-privilege network access.

Authenticated attackers with Subscriber-level access or higher can exploit the vulnerability by sending a POST request to upload image files. They can embed shortcode attributes in the image_alt value of the uploaded images, which execute upon sending a POST request to the attachment page, potentially leading to limited confidentiality, integrity, and availability impacts.

Advisories reference a patch in WordPress plugin trac changeset 3224162, which modifies the wpaicg_image.php file in the plugin trunk. Wordfence provides additional threat intelligence details at their vulnerability page.

Details

CWE(s): CWE-862

Affected Products

aipower

≤ 1.8.97

AI Security Analysis

AI Category: Enterprise AI Assistants
Risk Domain: Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025: None mapped
MITRE ATLAS Techniques: None mapped
Classification Reason: The vulnerability affects the 'AI Power: Complete AI Pack' WordPress plugin, which provides AI functionalities such as content generation and image handling, fitting the Enterprise AI Assistants category as an integrated AI solution for content management platforms.

MITRE ATT&CK Enterprise Techniques

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1105 Ingress Tool Transfer Command And Control

Adversaries may transfer tools or other files from an external system into a compromised environment.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Vulnerability enables low-privileged users to bypass capability checks for image uploads and shortcode injection in alt text, facilitating privilege escalation (T1068), ingress tool transfer via unauthorized uploads (T1105), exploitation of public-facing web application (T1190), and web shell deployment through executable shortcodes on attachment pages (T1505.003).

References

https://plugins.trac.wordpress.org/changeset/3224162/gpt3-ai-content-generator/trunk/classes/wpaicg_image.php
Patch · security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/11d49c89-43be-4e12-86b5-aa7a72a89803?source=cve
Third Party Advisory · security@wordfence.com