CVE-2024-13361 | AI Power: Complete AI Pack <= 1.8.96 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution
The AI Power: Complete AI Pack plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpaicg_save_image_media function in all versions up to, and including, 1.8.96. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload image files and embed shortcode attributes in the image_alt value that will execute when sending a POST request to the attachment page.
Conclusion & alert: CVE-2024-13361 is rated Moderate Risk (43.7/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 0.29%).Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
Exploit prediction scoring system (EPSS) score for CVE-2024-13361
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).