CVE-2026-23802
Unrestricted File Upload in Jordy Meow AI Engine
Publication date: 2026-03-05
Last updated on: 2026-03-09
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jordy_meow | ai_engine | From 3.0.0 (inc) to 3.3.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-23802 is an Arbitrary File Upload vulnerability in the WordPress AI Engine Plugin versions up to and including 3.3.2.'}, {'type': 'paragraph', 'content': 'It allows an attacker with Editor or Developer privileges to upload arbitrary files, including malicious backdoors, to the affected website.'}, {'type': 'paragraph', 'content': "This means that the attacker can use the plugin's unrestricted file upload feature to place dangerous files on the server."}] [1]
How can this vulnerability impact me? :
The vulnerability can lead to full site compromise by allowing attackers to upload malicious files.
Once exploited, attackers may gain unauthorized control over the website, potentially leading to data theft, defacement, or further exploitation.
Because the vulnerability is classified as high severity with a CVSS score of 9.1, the risk of exploitation is critical and likely.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability allows an attacker with Editor or Developer privileges to upload arbitrary files, including malicious backdoors, to the affected WordPress AI Engine Plugin (versions up to 3.3.2). Detection can focus on monitoring for unusual file uploads or changes within the plugin's upload directories."}, {'type': 'paragraph', 'content': 'While specific commands are not provided in the resources, general detection methods include:'}, {'type': 'list_item', 'content': 'Checking the WordPress uploads directory for unexpected or suspicious files.'}, {'type': 'list_item', 'content': 'Reviewing recent file changes or uploads by users with Editor or Developer roles.'}, {'type': 'list_item', 'content': 'Using file integrity monitoring tools to detect unauthorized file additions.'}, {'type': 'list_item', 'content': 'Monitoring web server logs for suspicious POST requests targeting the AI Engine Plugin upload endpoints.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to update the WordPress AI Engine Plugin to version 3.3.3 or later, where this vulnerability has been patched.
Until the update can be applied, Patchstack provides a rule to block exploitation attempts, which can be used as a temporary protective measure.
Additional recommended steps include:
- Restricting Editor and Developer privileges to trusted users only.
- Implementing continuous vulnerability intelligence and monitoring solutions to detect and prevent exploitation.
- Regularly backing up the website to enable recovery in case of compromise.