CVE-2025-13380
BaseFortify
Publication date: 2025-11-25
Last updated on: 2025-11-25
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | chatgpt_gpt_content_generator | 1.0.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the AI Engine for WordPress: ChatGPT, GPT Content Generator plugin up to version 1.0.1. It allows authenticated users with Contributor-level access or higher to read arbitrary files on the server. This happens because the plugin does not properly validate user-supplied file paths in the 'lqdai_update_post' AJAX endpoint and uses file_get_contents() on user-controlled URLs without restricting protocols in the insert_image() function. As a result, attackers can access sensitive server files.
How can this vulnerability impact me? :
An attacker with Contributor-level access or above can exploit this vulnerability to read arbitrary files on the server, potentially exposing sensitive information stored on the server. This could lead to information disclosure, which might compromise the security of the website and its data.