CVE-2025-13380 is a vulnerability classified under CWE-73 (External Control of File Name or Path) affecting the AI Engine for WordPress: ChatGPT, GPT Content Generator plugin. The vulnerability exists in all versions up to and including 1.0.1 due to insufficient validation of user-supplied file paths in the 'lqdai_update_post' AJAX endpoint. Specifically, the plugin uses the PHP function file_get_contents() in the insert_image() function with user-controlled URLs that lack protocol restrictions, allowing an authenticated attacker with Contributor-level privileges or higher to read arbitrary files on the server. This arbitrary file read can expose sensitive information such as configuration files, credentials, or other private data stored on the server. The attack vector requires authentication but no additional user interaction, and the vulnerability is remotely exploitable over the network. The CVSS v3.1 base score is 6.5, reflecting a medium severity with high confidentiality impact but no integrity or availability impact. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability highlights the risks of improper input validation and unsafe file handling in WordPress plugins, especially those handling AI-generated content and media insertion.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive data hosted on WordPress sites using the affected plugin. Attackers with Contributor-level access—which can be obtained through compromised accounts or weak credential management—can read arbitrary files, potentially exposing database credentials, API keys, or personal data protected under GDPR. This could lead to data breaches, regulatory fines, reputational damage, and further exploitation such as lateral movement within the network. Since WordPress is widely used across Europe for corporate websites, e-commerce, and content management, the scope of affected systems is broad. The vulnerability does not affect system integrity or availability directly but can be a stepping stone for more severe attacks. Organizations in sectors with high regulatory scrutiny, such as finance, healthcare, and government, are particularly at risk due to the sensitivity of data that could be exposed.

1. Immediately update the AI Engine for WordPress plugin to a patched version once available. 2. Until a patch is released, restrict Contributor-level user permissions and audit existing user accounts to ensure only trusted users have such access. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the 'lqdai_update_post' AJAX endpoint, especially those attempting to manipulate file paths. 4. Harden the server environment by disabling PHP functions like file_get_contents() for untrusted inputs or restricting file system access via PHP open_basedir settings. 5. Monitor server logs for unusual file access patterns or attempts to read sensitive files. 6. Employ intrusion detection systems to alert on anomalous behavior related to file reads. 7. Educate site administrators on the risks of installing unvetted plugins and maintaining strict access controls. 8. Consider isolating WordPress instances or running them in containers to limit the impact of potential exploits.