What the vulnerability does
01Description
The AI Engine for WordPress: ChatGPT, GPT Content Generator plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.0.1. This is due to insufficient validation of user-supplied file paths in the 'lqdai_update_post' AJAX endpoint and the use of file_get_contents() with user-controlled URLs without protocol restrictions in the insert_image() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Explanation of Vulnerability in Simple Terms
02Summary
The AI Engine for WordPress plugin through version 1.0.1 contains an external entity reference vulnerability that allows authenticated users to read sensitive files from the server. An attacker with low-level WordPress access can exploit this to retrieve configuration files, database credentials, or other private data. The vulnerability requires valid WordPress login credentials but no additional user interaction.
What an attacker can do
03Attacker Capabilities
Read sensitive files from the server, such as configuration files or credentials.
Potential impact on your site
04Site Impact
Attackers with WordPress accounts can access server files containing database credentials, API keys, or other sensitive configuration data.
Conditions required to exploit
05Prerequisites
Valid WordPress user account with low-level privileges (e.g., subscriber or contributor role).
Key dates
06Disclosure timeline
November 25, 2025
CVE published
April 8, 2026
Record updated