CVE-2024-13360

MEDIUM

AI Power WordPress Plugin <=1.8.96 - Subscriber Server-Side Request Forgery

Title source: manual

Description

The AI Power: Complete AI Pack plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.8.96 via the wpaicg_troubleshoot_add_vector(). This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

References (2)

Core 2

Core References

Patch

https://plugins.trac.wordpress.org/changeset/3224162/

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/5cf6cbba-0e0c-4d2c-90d0-d7e0a5222df2?source=cve

Scores

CVSS v3 5.4

EPSS 0.0023

EPSS Percentile 13.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (2)

aipower/aipower < 1.8.97

senols/AI Puffer – Your AI engine for WordPress (formerly AI Power) < 1.8.96

Published Jan 22, 2025

Tracked Since Feb 18, 2026