The tigroumeow AI Engine plugin for WordPress, specifically versions 2.9.3 and 2.9.4, contains a critical vulnerability identified as CVE-2025-7847, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). The root cause is the absence of proper file type validation in the rest_simpleFileUpload() function, which is part of the plugin's REST API interface. This flaw allows authenticated users with minimal privileges (Subscriber-level or above) to upload arbitrary files to the web server. Since the REST API is commonly enabled in WordPress environments, this vulnerability significantly broadens the attack surface. Uploaded files can be crafted to execute malicious code remotely, potentially leading to full system compromise. The vulnerability has a CVSS 3.1 base score of 8.8, indicating high severity with network attack vector, low attack complexity, and privileges required but no user interaction. Although no public exploits have been reported yet, the ease of exploitation and potential impact make this a critical risk for affected sites. The vulnerability affects a widely used AI plugin, increasing the likelihood of targeted attacks once exploit code becomes available.

Exploitation of CVE-2025-7847 can have severe consequences for organizations running the tigroumeow AI Engine plugin on WordPress. Attackers with low-level authenticated access can upload malicious files, potentially leading to remote code execution, full server compromise, data theft, defacement, or use of the server as a pivot point for further attacks. This threatens confidentiality, integrity, and availability of affected systems. Given WordPress's extensive use globally, especially among small to medium businesses and content-driven sites, the impact could be widespread. Compromised servers may also be leveraged for distributing malware or launching attacks against other targets. The vulnerability's exploitation could disrupt business operations, damage reputation, and incur regulatory penalties if sensitive data is exposed.

1. Immediately update the tigroumeow AI Engine plugin to a patched version once available; monitor vendor advisories for official fixes. 2. If patches are not yet released, disable or restrict the REST API endpoints related to file uploads, especially rest_simpleFileUpload(), using WordPress security plugins or custom rules. 3. Enforce strict file type validation and content scanning on all uploaded files at the web server or application firewall level. 4. Limit user privileges rigorously, ensuring only trusted users have Subscriber-level or higher access. 5. Monitor server logs and WordPress audit trails for unusual file upload activity or unauthorized access attempts. 6. Implement web application firewalls (WAF) with rules to detect and block suspicious file uploads. 7. Conduct regular security assessments and penetration testing focused on plugin vulnerabilities. 8. Backup website data and server configurations frequently to enable rapid recovery in case of compromise.