CVE-2024-13361 is a vulnerability classified under CWE-862 (Missing Authorization) found in the AI Power: Complete AI Pack WordPress plugin developed by senols. The flaw exists in the wpaicg_save_image_media function, which lacks proper capability checks to verify if the authenticated user has sufficient permissions before allowing image uploads. This missing authorization allows any authenticated user with Subscriber-level privileges or above to upload image files containing malicious shortcode attributes embedded within the image_alt metadata field. When a POST request is made to the attachment page, these shortcode attributes can be executed, potentially enabling unauthorized actions such as code execution, data manipulation, or privilege escalation within the WordPress environment. The vulnerability affects all plugin versions up to and including 1.8.96. The CVSS v3.1 base score is 6.3, indicating a medium severity level, with attack vector being network-based, low attack complexity, requiring low privileges, no user interaction, and impacting confidentiality, integrity, and availability. Although no public exploits have been reported yet, the vulnerability poses a significant risk due to the low privilege required for exploitation and the potential for executing arbitrary shortcode code. The lack of a patch link suggests that a fix may not yet be available, underscoring the need for immediate mitigation steps by site administrators.

This vulnerability can have serious consequences for organizations running WordPress sites with the AI Power: Complete AI Pack plugin. An attacker with minimal privileges (Subscriber-level) can upload malicious images containing executable shortcode attributes, potentially leading to unauthorized code execution within the WordPress environment. This can compromise the confidentiality of sensitive data, integrity of website content, and availability of the site if the attacker disrupts normal operations. Exploitation could facilitate further attacks such as privilege escalation, data exfiltration, or website defacement. Given WordPress's widespread use for business, e-commerce, and content publishing, the impact could extend to brand reputation damage, financial loss, and regulatory compliance issues. The vulnerability's network accessibility and lack of user interaction requirement increase the risk of automated exploitation attempts once a patch or exploit becomes public.

Until an official patch is released, organizations should implement specific mitigations to reduce risk. First, restrict user roles and permissions strictly, limiting Subscriber-level access to trusted users only. Disable or remove the AI Power: Complete AI Pack plugin if it is not essential. For sites requiring the plugin, consider temporarily disabling image upload capabilities for low-privilege users via custom code or security plugins that enforce capability checks on media uploads. Monitor WordPress logs for unusual POST requests to attachment pages and unexpected shortcode executions. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious shortcode patterns in image metadata. Keep WordPress core and all plugins updated, and subscribe to vendor advisories for patch announcements. Conduct regular security audits and backups to enable rapid recovery if exploitation occurs.