CVE-2024-13714

High

Published: 12 February 2025

Published

12 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0151 81.3th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2024-13714 is an arbitrary file upload vulnerability in the All-Images.ai – IA Image Bank and Custom Image creation plugin for WordPress, affecting all versions up to and including 1.0.4. The issue arises from missing file type validation in the '_get_image_by_url' function, classified under CWE-434. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

Authenticated attackers with Subscriber-level access or higher can exploit the vulnerability over the network with low complexity and no user interaction required. By leveraging the flawed function, they can upload arbitrary files to the affected WordPress site's server, which may lead to remote code execution.

Mitigation details are available in the referenced advisories, including the WordPress plugin trac changeset at https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3231889%40all-images-ai&new=3231889%40all-images-ai&sfp_email=&sfph_mail= and the Wordfence threat intelligence page at https://www.wordfence.com/threat-intel/vulnerabilities/id/422c634c-5119-40ef-adf7-681c3d8c09a2?source=cve. Security practitioners should update the plugin beyond version 1.0.4 to address the issue.

Details

CWE(s): CWE-434

AI Security Analysis

AI Category: Other Platforms
Risk Domain: Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025: None mapped
MITRE ATLAS Techniques: None mapped
Classification Reason: The vulnerability affects the All-Images.ai WordPress plugin, which is an AI-related platform for image banking and custom image creation, fitting under 'Other Platforms' as it is not a framework, library, or specific AI subcategory like Computer Vision or NLP.

MITRE ATT&CK Enterprise Techniques

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

T1105 Ingress Tool Transfer Command And Control

Adversaries may transfer tools or other files from an external system into a compromised environment.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The arbitrary file upload vulnerability enables exploitation of a public-facing WordPress plugin (T1190), facilitates uploading web shells for remote code execution (T1100), and allows ingress of tools or malware into the environment (T1105).

References

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3231889%40all-images-ai&new=3231889%40all-images-ai&sfp_email=&sfph_mail=
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/422c634c-5119-40ef-adf7-681c3d8c09a2?source=cve
security@wordfence.com