CVE-2026-23802
Awaiting Analysis Awaiting Analysis - Queue
Unrestricted File Upload in Jordy Meow AI Engine

Publication date: 2026-03-05

Last updated on: 2026-03-09

Assigner: Patchstack

Description
Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine ai-engine allows Using Malicious Files.This issue affects AI Engine: from n/a through <= 3.3.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-09
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23802
EUVD
EUVD-2026-9598
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jordy_meow ai_engine From 3.0.0 (inc) to 3.3.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-23802 is an Arbitrary File Upload vulnerability in the WordPress AI Engine Plugin versions up to and including 3.3.2.'}, {'type': 'paragraph', 'content': 'It allows an attacker with Editor or Developer privileges to upload arbitrary files, including malicious backdoors, to the affected website.'}, {'type': 'paragraph', 'content': "This means that the attacker can use the plugin's unrestricted file upload feature to place dangerous files on the server."}] [1]

Impact Analysis

The vulnerability can lead to full site compromise by allowing attackers to upload malicious files.

Once exploited, attackers may gain unauthorized control over the website, potentially leading to data theft, defacement, or further exploitation.

Because the vulnerability is classified as high severity with a CVSS score of 9.1, the risk of exploitation is critical and likely.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability allows an attacker with Editor or Developer privileges to upload arbitrary files, including malicious backdoors, to the affected WordPress AI Engine Plugin (versions up to 3.3.2). Detection can focus on monitoring for unusual file uploads or changes within the plugin's upload directories."}, {'type': 'paragraph', 'content': 'While specific commands are not provided in the resources, general detection methods include:'}, {'type': 'list_item', 'content': 'Checking the WordPress uploads directory for unexpected or suspicious files.'}, {'type': 'list_item', 'content': 'Reviewing recent file changes or uploads by users with Editor or Developer roles.'}, {'type': 'list_item', 'content': 'Using file integrity monitoring tools to detect unauthorized file additions.'}, {'type': 'list_item', 'content': 'Monitoring web server logs for suspicious POST requests targeting the AI Engine Plugin upload endpoints.'}] [1]

Mitigation Strategies

The primary and immediate mitigation step is to update the WordPress AI Engine Plugin to version 3.3.3 or later, where this vulnerability has been patched.

Until the update can be applied, Patchstack provides a rule to block exploitation attempts, which can be used as a temporary protective measure.

Additional recommended steps include:

  • Restricting Editor and Developer privileges to trusted users only.
  • Implementing continuous vulnerability intelligence and monitoring solutions to detect and prevent exploitation.
  • Regularly backing up the website to enable recovery in case of compromise.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23802. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart