CVE-2025-13380 MEDIUM

CVE-2025-13380: AI Engine for WordPress: ChatGPT, GPT Content Generator <= 1.0.1 - Authenticated (Contributor+) Arbitrary File Read

Vendor Liquidthemes
Product AI Engine for WordPress: ChatGPT, GPT Content Generator
Weakness CWE-73
Published November 25, 2025
Last update April 8, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

The AI Engine for WordPress: ChatGPT, GPT Content Generator plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.0.1. This is due to insufficient validation of user-supplied file paths in the 'lqdai_update_post' AJAX endpoint and the use of file_get_contents() with user-controlled URLs without protocol restrictions in the insert_image() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

Explanation of Vulnerability in Simple Terms

02Summary

The AI Engine for WordPress plugin through version 1.0.1 contains an external entity reference vulnerability that allows authenticated users to read sensitive files from the server. An attacker with low-level WordPress access can exploit this to retrieve configuration files, database credentials, or other private data. The vulnerability requires valid WordPress login credentials but no additional user interaction.

What an attacker can do

03Attacker Capabilities

Read sensitive files from the server, such as configuration files or credentials.

Potential impact on your site

04Site Impact

Attackers with WordPress accounts can access server files containing database credentials, API keys, or other sensitive configuration data.

Conditions required to exploit

05Prerequisites

Valid WordPress user account with low-level privileges (e.g., subscriber or contributor role).

Key dates

06Disclosure timeline

November 25, 2025 CVE published
April 8, 2026 Record updated