AI Engine

6.4 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Description

The AI Engine plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.3.2 via the 'get_audio' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services, if "Public API" is enabled in the plugin settings, and 'allow_url_fopen' is set to 'On' on the server.

Basic Information

ID CVE-2026-0746

Source Wordfence

Published Jan 27, 2026 at 18:27

Affected Product

Vendor tigroumeow

Product AI Engine – The Chatbot and AI Framework for WordPress

Version *

Affected Versions tigroumeow AI Engine – The Chatbot and AI Framework for WordPress *

CWE Classification

CWE-918

References

{
    "lastseen": "",
    "description": "The AI Engine plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.3.2 via the 'get_audio' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services, if \"Public API\" is enabled in the plugin settings, and 'allow_url_fopen' is set to 'On' on the server.",
    "published": "2026-01-27T18:27:55.920Z",
    "modified": "2026-01-27T18:27:55.920Z",
    "type": "cve",
    "title": "AI Engine <= 3.3.2 - Authenticated (Subscriber+) Server-Side Request Forgery",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cbba866d-93dd-4ef5-9670-ab958f61f06e?source=cve\nhttps://plugins.trac.wordpress.org/browser/ai-engine/tags/3.3.1/classes/engines/chatml.php#L946\nhttps://plugins.trac.wordpress.org/changeset/3447500/ai-engine/trunk/classes/engines/chatml.php",
    "id": "CVE-2026-0746",
    "bulletinFamily": "",
    "cwe": [
        "CWE-918"
    ],
    "cvelist": null,
    "sourceData": "tigroumeow AI Engine \u2013 The Chatbot and AI Framework for WordPress *",
    "sourceHref": "",
    "cvss": {
        "score": 6.4,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "AI Engine \u2013 The Chatbot and AI Framework for WordPress",
    "version": "*",
    "vendor": "tigroumeow",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

AI Engine <= 3.3.2 - Authenticated (Subscriber+) Server-Side Request Forgery_CVE-2026-0746