We use cookies to improve your experience on our site.
AVID-2026-R1177
Description
ChatBot < 4.4.9 - Subscriber+ OpenAI Settings Update to Stored XSS (CVE-2023-1651)
Details
The AI ChatBot WordPress plugin before 4.4.9 does not have authorisation and CSRF in the AJAX action responsible to update the OpenAI settings, allowing any authenticated users, such as subscriber to update them. Furthermore, due to the lack of escaping of the settings, this could also lead to Stored XSS
Reason for inclusion in AVID: CVE-2023-1651 describes a vulnerability in the AI ChatBot WordPress plugin (pre-4.4.9) that allows unauthorized updates to OpenAI settings and stored XSS. This plugin is used to deploy AI-enabled chat functionality via OpenAI, thus it concerns AI systems and their deployment stack. It affects a component used to build/run AI-enabled services, i.e., a software supply chain element for general-purpose AI systems. The vulnerability is security-related (CSRF/authorization bypass and XSS) with clear evidence in the CVE description and references.
References
Affected or Relevant Artifacts
- Developer: Unknown
- Deployer: Unknown
- Artifact Details:
| Type | Name |
|---|---|
| System | AI ChatBot |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2023-05-08
- Version: 0.3.3
- AVID Entry