CVE-2024-13882

High

Published: 08 March 2025

Published

08 March 2025

Modified

13 March 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0517 89.9th percentile

Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2024-13882 affects the Aiomatic - Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit plugin for WordPress, specifically in all versions up to and including 2.3.8. The vulnerability stems from missing file type validation in the 'aiomatic_generate_featured_image' function, enabling arbitrary file uploads. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).

Authenticated attackers with Contributor-level access or higher can exploit this issue over the network with low complexity and no user interaction required. By uploading arbitrary files to the WordPress site's server via the vulnerable function, attackers may achieve remote code execution, potentially compromising the entire server.

The plugin vendor's full changelog at coderevolution.ro and Wordfence threat intelligence advisory at wordfence.com detail remediation steps, including updates beyond version 2.3.8 to address the file validation flaw. Security practitioners should verify patch status and restrict Contributor access where possible.

Details

CWE(s): CWE-434

Affected Products

coderevolution

aiomatic

≤ 2.3.9

AI Security Analysis

AI Category: Enterprise AI Assistants
Risk Domain: Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025: None mapped
MITRE ATLAS Techniques: None mapped
Classification Reason: The vulnerability affects the Aiomatic WordPress plugin, which provides AI content writing, editing, GPT-3/GPT-4 integration, ChatGPT chatbot, and AI toolkit functionalities, fitting the Enterprise AI Assistants category as an AI assistant tool for content generation and automation.

MITRE ATT&CK Enterprise Techniques

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Arbitrary file upload vulnerability enables exploitation of public-facing WordPress application (T1190) and facilitates deployment of web shells for remote code execution (T1100).

References

https://coderevolution.ro/knowledge-base/faq/full-changelog-aiomatic-automatic-ai-content-writer-editor-gpt-3-gpt-4-chatgpt-chatbot-ai-toolkit/
Product · security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/7108df0d-771a-4404-b90d-8ac8bc572898?source=cve
Third Party Advisory · security@wordfence.com