CVE-2025-5570
BaseFortify
Publication date: 2025-07-08
Last updated on: 2025-08-13
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| meowapps | ai_engine | to 2.8.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the AI Engine WordPress plugin (up to version 2.8.4) is a Stored Cross-Site Scripting (XSS) issue caused by insufficient input sanitization and output escaping of the 'id' parameter in the mwai_chatbot shortcode. Authenticated users with Subscriber-level access or higher can inject malicious scripts into pages. These scripts execute whenever any user accesses the infected page, potentially compromising user sessions or data. [1]
How can this vulnerability impact me? :
The vulnerability allows attackers with low-level authenticated access to inject arbitrary web scripts into pages. This can lead to session hijacking, defacement, or unauthorized actions performed on behalf of users who visit the infected pages. It compromises the integrity and security of the website and its users by enabling persistent malicious code execution. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for the presence of the mwai_chatbot shortcode with malicious payloads in WordPress pages or posts, especially targeting the 'id' parameter. Additionally, inspecting HTTP requests to the REST API endpoint /mwai-ui/v1/chats/submit for suspicious or malformed input could help detect exploitation attempts. Since the vulnerability involves Stored Cross-Site Scripting via shortcode parameters, scanning the WordPress database content for injected scripts in pages or posts containing the mwai_chatbot shortcode is recommended. Specific commands are not provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the AI Engine WordPress plugin to a version later than 2.8.4 where the vulnerability is fixed. Until an update is available, restrict Subscriber-level user permissions to prevent unauthorized shortcode injection, and monitor or disable the mwai_chatbot shortcode usage. Additionally, review and sanitize any existing content that uses the mwai_chatbot shortcode to remove injected scripts. Implementing input validation and output escaping on the 'id' parameter in shortcode usage is critical, as the vulnerability arises from insufficient sanitization and escaping. [1]