AI Engine <= 3.3.2 - Authenticated (Subscriber+) Server-Side Request Forgery

The AI Engine plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.3.2 via the 'get_audio' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services, if "Public API" is enabled in the plugin settings, and 'allow_url_fopen' is set to 'On' on the server.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

服务端请求伪造(SSRF)

WordPress plugin AI Engine 代码问题漏洞

WordPress plugin AI Engine是WordPress基金会的一个插件，可以用来构建智能聊天机器人，创建AI表单，并自动执行任务。 WordPress plugin AI Engine 3.3.2及之前版本存在代码问题漏洞，该漏洞源于get_audio函数存在服务端请求伪造，可能导致查询和修改内部服务信息。

N/A

N/A