CVE-2023-51409

CRITICAL EXPLOITED NUCLEI

Jordy Meow AI Engine: ChatGPT Chatbot <= 1.9.98 - Unauthenticated Arbitrary File Upload

Title source: llm

Exploitation Summary

CVE-2023-51409 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including JoshuaProvoste, RandomRobbieBF, Boshe99. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2023-51409, an unauthenticated arbitrary file upload vulnerability in the AI Engine WordPress plugin (version 1.9.98). The exploit uploads a PHP payload via a vulnerable REST endpoint, deploys it in the WordPress uploads directory, and provides an interactive shell for remote command execution.

Description

Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot.This issue affects AI Engine: ChatGPT Chatbot: from n/a through 1.9.98.

Exploits (4)

nomisec WORKING POC 1 stars

by JoshuaProvoste · remote

https://github.com/JoshuaProvoste/0-click-RCE-Exploit-for-CVE-2023-51409

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-51409, an unauthenticated arbitrary file upload vulnerability in the AI Engine WordPress plugin (version 1.9.98). The exploit uploads a PHP payload via a vulnerable REST endpoint, deploys it in the WordPress uploads directory, and provides an interactive shell for remote command execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: AI Engine: ChatGPT Chatbot WordPress plugin v1.9.98

No auth needed

Prerequisites: Vulnerable version of the AI Engine plugin installed on WordPress · Network access to the target WordPress site

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WORKING POC 1 stars

by RandomRobbieBF · remote

https://github.com/RandomRobbieBF/CVE-2023-51409

View Code ZIP pw:eip

The repository contains a functional proof-of-concept for CVE-2023-51409, demonstrating an unauthenticated arbitrary file upload vulnerability in the AI Engine WordPress plugin via the 'rest_upload' function. It includes cURL commands and raw HTTP requests to exploit the vulnerability, allowing remote code execution by uploading malicious files.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: AI Engine: Chatbots, Generators, Assistants, GPT 4 and more! plugin for WordPress <= 1.9.98

No auth needed

Prerequisites: Access to the WordPress site's REST API endpoint · Ability to send HTTP POST requests to the target server

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1204 - User Execution T1505 - Server Software Component

devstral-2 · analyzed Feb 19, 2026 Full analysis →

github WORKING POC

by Boshe99 · pythonpoc

https://github.com/Boshe99/CVE-Exploits/tree/main/CVE-2023-51409

View Code ZIP pw:eip

The repository contains a functional Python exploit for CVE-2023-51409, targeting an arbitrary file upload vulnerability in the WordPress Plugin 3DPrint Lite 1.9.1.4. The exploit uploads a malicious file via the plugin's admin-ajax.php endpoint and confirms successful upload.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: WordPress Plugin 3DPrint Lite 1.9.1.4

No auth needed

Prerequisites: target URL · malicious file to upload

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC

by Nxploited · remote

https://github.com/Nxploited/CVE-2023-51409

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-51409, an unauthenticated arbitrary file upload vulnerability in the AI Engine: ChatGPT Chatbot WordPress plugin (versions <= 1.9.98). The exploit checks the plugin version via readme.txt and uploads a PHP file to a vulnerable endpoint, demonstrating remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: AI Engine: ChatGPT Chatbot WordPress plugin <= 1.9.98

No auth needed

Prerequisites: Target must have the vulnerable plugin installed and accessible · Network access to the WordPress instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 19, 2026 Full analysis →

Nuclei Templates (1)

Jordy Meow AI Engine - Unrestricted File Upload

CRITICALVERIFIEDby pussycat0x

References (2)

Core 2

Core References

Third Party Advisory vdb-entry

https://patchstack.com/database/vulnerability/ai-engine/wordpress-ai-engine-plugin-1-9-98-unauthenticated-arbitrary-file-upload-vulnerability?_s_id=cve

Various Sources

https://github.com/JoshuaProvoste/0-click-RCE-Exploit-for-CVE-2023-51409

Scores

CVSS v3 10.0

EPSS 0.6505

EPSS Percentile 99.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2024-01-11

CWE

CWE-434

Status published

Products (2)

Jordy Meow/AI Engine: ChatGPT Chatbot < 1.9.98

meowapps/ai_engine < 1.9.99

Published Apr 12, 2024

Tracked Since Feb 18, 2026