The vulnerability identified as CVE-2024-13714 affects the All-Images.ai – IA Image Bank and Custom Image creation plugin for WordPress, specifically versions up to and including 1.0.4. The root cause is the absence of proper file type validation in the '_get_image_by_url' function, which allows authenticated users with Subscriber-level privileges or higher to upload arbitrary files to the server. This unrestricted file upload vulnerability (CWE-434) can be exploited remotely without user interaction beyond authentication. Attackers can leverage this flaw to upload malicious files, potentially leading to remote code execution (RCE), which compromises the confidentiality, integrity, and availability of the affected system. The CVSS 3.1 base score is 8.8, reflecting a high severity due to network attack vector, low attack complexity, required privileges at a low level, and no user interaction needed. The vulnerability affects all versions of the plugin up to 1.0.4, and no official patches or updates have been linked yet. While no active exploits are reported, the potential for exploitation is significant given the common use of WordPress and the plugin's functionality. The vulnerability's impact is amplified by the fact that Subscriber-level users are often easily obtainable on many WordPress sites, increasing the attack surface. The technical details confirm the vulnerability's publication and assignment by Wordfence, with no known mitigations currently published by the vendor.

The impact of CVE-2024-13714 is substantial for organizations running WordPress sites with the All-Images.ai plugin. Successful exploitation can lead to remote code execution, allowing attackers to execute arbitrary commands on the server, potentially leading to full system compromise. This can result in data breaches, defacement, malware deployment, lateral movement within networks, and disruption of services. Confidential information stored on the server can be exfiltrated, altered, or destroyed. The integrity of the website and its content can be compromised, damaging organizational reputation and trust. Availability may also be affected if attackers deploy ransomware or conduct denial-of-service activities. Since the vulnerability requires only Subscriber-level access, attackers can exploit weak or stolen credentials, increasing the risk. The widespread use of WordPress globally means many organizations, including small businesses, e-commerce sites, and content providers, are at risk. The absence of known exploits in the wild currently provides a window for proactive defense, but the high severity score underscores the urgency of mitigation.

To mitigate CVE-2024-13714 effectively, organizations should take the following specific actions: 1) Immediately disable or uninstall the All-Images.ai plugin until a vendor patch is released. 2) Restrict user roles and permissions rigorously, ensuring that Subscriber-level accounts are monitored and limited to trusted users only. 3) Implement web application firewalls (WAFs) with custom rules to detect and block suspicious file upload attempts targeting the '_get_image_by_url' function or related endpoints. 4) Employ strict server-side file type validation and sanitization for all uploaded files, not relying solely on client-side checks. 5) Monitor server logs and WordPress activity logs for unusual file upload patterns or privilege escalations. 6) Conduct regular vulnerability scans and penetration tests focusing on file upload functionalities. 7) Harden the WordPress environment by disabling PHP execution in upload directories where possible. 8) Educate administrators and users about the risks of weak credentials and enforce strong authentication mechanisms, including multi-factor authentication (MFA). 9) Stay informed about vendor updates and apply patches promptly once available. 10) Consider using plugin alternatives with better security track records if immediate patching is not feasible.