AI ChatBot with ChatGPT and Content Generator by AYS < 2.7.1 – Missing Authorization to Unauthenticated Media File Uploads | CVE 2025-13381 | Plugin Vulnerabilities

Description

The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'ays_chatgpt_save_wp_media' function in all versions up to, and including, 2.7.0. This makes it possible for unauthenticated attackers to upload media files.

Affects Plugins

ays-chatgpt-assistant

Fixed in 2.7.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/be3411ec-0e34-4b0b-a04c-98ac94396989

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

blue0x1

Verified

No

WPVDB ID

bfd8226d-220a-45f0-96a5-e4ff6edc0ad1

Timeline

Publicly Published

2025-11-26 (about 4 months ago)

Added

2025-11-26 (about 4 months ago)

Last Updated

2025-11-27 (about 4 months ago)

Other

Published

Title

Published

2026-01-12

Title

Electron <= 1.8.2 - Missing Authorization

Published

2024-05-31

Title

User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin < 3.2.1 - Missing Authorization to Privilege Escalation

Published

2026-01-27

Title

ELEX WordPress HelpDesk & Customer Ticketing System < 3.3.6 - Missing Authorization

Published

2025-06-05

Title

BM Content Builder < 3.16.3 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via ux_cb_page_options_save

Published

2022-03-14

Title

Amelia < 1.0.49 - Customer+ Arbitrary Appointments Status Update