The AI Engine WordPress plugin (up to version 3.3.2) contains a Server-Side Request Forgery vulnerability (CWE-918) in its 'get_audio' function. Authenticated users with at least Subscriber privileges can leverage this flaw to induce the server to make HTTP requests to arbitrary locations. This behavior is contingent on the plugin's "Public API" feature being enabled and the PHP configuration 'allow_url_fopen' being set to 'On'. Such SSRF vulnerabilities can allow attackers to interact with internal services that are otherwise inaccessible externally, potentially leading to information disclosure or unauthorized modification. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, low privileges required, no user interaction, and partial impact on confidentiality and integrity. There is no information about an official patch or remediation from the vendor at this time.

An authenticated attacker with Subscriber-level access or higher can exploit this SSRF vulnerability to make arbitrary HTTP requests from the server hosting the AI Engine plugin. This can enable the attacker to access or modify internal services that are not directly exposed, potentially leading to partial confidentiality and integrity loss of internal data. The vulnerability does not impact availability. The impact depends on the plugin's configuration (Public API enabled) and server PHP settings ('allow_url_fopen' enabled). No known active exploitation has been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, it is recommended to disable the "Public API" feature in the AI Engine plugin settings if enabled and consider setting 'allow_url_fopen' to 'Off' on the server to reduce risk. Additionally, restrict plugin access to trusted users only, as exploitation requires authenticated access with Subscriber-level privileges or higher.