WordPress Plugin Vulnerabilities

AI ChatBot < 5.3.6 - Missing Authorization via openai_file_upload_callback

Description

The AI ChatBot plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the openai_file_upload_callback function in all versions up to, and including, 5.3.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload files to a linked OpenAI account.

Affects Plugins

Plugin icon
chatbot
Fixed in 5.3.6

References

CVE
CVE-2024-0452
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/34b6475c-b5dd-42a1-98d1-9b5ae9ff4ad5

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
5 (medium)

Miscellaneous

Original Researcher
Francesco Carlucci
Verified
No
WPVDB ID
96ac2b5a-727d-41e5-975b-29f441476697

Timeline

Publicly Published
2024-05-21 (about 1 year ago)
Added
2024-05-21 (about 1 year ago)
Last Updated
2024-07-29 (about 1 year ago)

Other

Published
Title
Published
2025-03-11
Title
Page Builder: Pagelayer – Drag and Drop website builder < 1.9.9 - Authenticated (Contributor+) Private Post Disclosure in pagelayer_builder_posts_shortcode
Published
2024-02-12
Title
Sunshine Photo Cart: Free Client Galleries for Photographers < 3.1 - Unauthenticated Sensitive Information Exposure via Invoice
Published
2024-03-25
Title
Meta Box < 5.9.4 - Contributor+ Arbitrary Posts' Custom Field Disclosure
Published
2024-02-26
Title
Duitku Payment Gateway < 2.11.7 - Missing Authorization via check_duitku_response
Published
2024-10-31
Title
Multiple Page Generator Plugin – MPG < 4.0.2 - Missing Authorization