CVE-2025-7780 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) found in the tigroumeow AI Engine plugin for WordPress, affecting all versions up to and including 2.9.4. The root cause is the failure of the simpleTranscribeAudio endpoint to properly validate or restrict URL schemes before calling the get_audio() function. This flaw allows authenticated attackers with Subscriber-level privileges or higher to craft requests that cause the plugin to read arbitrary files from the web server’s filesystem. The retrieved file contents can then be exfiltrated through the plugin’s integration with the OpenAI API, effectively leaking sensitive server-side data. The vulnerability does not require user interaction beyond authentication, making it easier to exploit once credentials are obtained. The CVSS v3.1 base score is 6.5, with an attack vector of network, low attack complexity, privileges required at the low level (Subscriber), no user interaction, and high impact on confidentiality. Integrity and availability are not impacted. No patches or exploit code are currently publicly available, but the vulnerability’s presence in a widely used WordPress plugin makes it a significant concern. The flaw highlights the importance of strict input validation and access control in plugin endpoints, especially those interfacing with external APIs.

The primary impact of CVE-2025-7780 is unauthorized disclosure of sensitive information stored on the web server hosting the vulnerable WordPress site. Attackers with Subscriber-level access can read arbitrary files, potentially exposing configuration files, database credentials, private keys, or other sensitive data. This can lead to further compromise, including privilege escalation, lateral movement, or data breaches affecting customers and users. Since WordPress powers a large portion of websites globally, and the tigroumeow AI Engine plugin is integrated with AI services, the risk extends to organizations relying on AI-driven content or transcription features. The confidentiality breach could damage organizational reputation, violate data protection regulations, and cause financial losses. Although integrity and availability are not directly affected, the exposure of sensitive files can facilitate more severe attacks. The lack of known exploits in the wild currently reduces immediate risk, but the vulnerability’s ease of exploitation by authenticated users means it could be leveraged in insider threat scenarios or through compromised accounts.

To mitigate CVE-2025-7780, organizations should first verify if they are running the tigroumeow AI Engine plugin version 2.9.4 or earlier and prioritize updating to a patched version once available. In the absence of an official patch, administrators should consider disabling or restricting access to the simpleTranscribeAudio endpoint, especially for Subscriber-level users or lower. Implementing strict web application firewall (WAF) rules to detect and block suspicious requests targeting this endpoint can reduce exploitation risk. Additionally, review and tighten user privilege assignments to minimize the number of users with Subscriber or higher roles. Monitoring logs for unusual file access patterns or API calls related to the plugin can help detect attempted exploitation. Finally, conduct regular security audits of WordPress plugins and ensure that third-party integrations, especially those involving external APIs, enforce robust input validation and access controls.