Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
The Aiomatic WordPress plugin (versions up to 2.5.0) has a security flaw where it doesn't properly check what type of files users are uploading, allowing authenticated attackers with basic user access to upload harmful files to the server. This could potentially lead to RCE (remote code execution, where an attacker can run commands on a system they don't own), though an attacker needs to provide a Stability.AI API key value to exploit it.
Stable-diffusion-webui version 1.7.0 has a vulnerability where user input from the Backup/Restore tab is not properly validated before being used to create file paths, allowing attackers to write JSON files to arbitrary locations on Windows systems where the web server has access. This is a limited file write vulnerability (a security flaw that lets attackers create or modify files in unintended locations) that could let an attacker place malicious files on the server.
The Infinite Image Browsing extension for Stable Diffusion web UI (a tool for generating images with AI) has a security flaw that allows attackers to read any file on a computer if Gradio authentication is enabled without a secret key configuration. Attackers can exploit this by manipulating URLs with /file?path= to access sensitive files, such as environment variables that might contain login credentials.
A WordPress plugin called 'The Post Saint' (used to generate AI text and images) has a security flaw in versions up to 1.3.1 where it fails to check user permissions and validate file types when uploading files. This allows attackers with basic user accounts to upload malicious files that could let them execute arbitrary code (RCE, running unauthorized commands) on the website.
Fix: Update to commit 977815a or later. The patch is available at https://github.com/zanllp/sd-webui-infinite-image-browsing/pull/368/commits/977815a2b28ad953c10ef0114c365f698c4b8f19
NVD/CVE Database