We use cookies to improve your experience on our site.
AVID-2026-R1353
Description
AI ChatBot <= 5.3.4 - Missing Authorization via openai_file_list_callback (CVE-2024-0451)
Details
The AI ChatBot plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the openai_file_list_callback function in all versions up to, and including, 5.3.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to list files existing in a linked OpenAI account.
Reason for inclusion in AVID: CVE-2024-0451 describes a missing authorization check in the AI ChatBot WordPress plugin (OpenAI integration) allowing authenticated attackers to enumerate files in a linked OpenAI account. This is a software vulnerability affecting an AI software component used in AI workflows (plugin using OpenAI), representing a supply chain issue in AI deployment stacks. The report provides explicit details (affected version <= 5.3.4, impact, references from NVD/Wordfence), establishing a clear security flaw with real-world impact on AI software components.
References
- NVD entry
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1c0572a5-6cc9-43ab-a4a3-c8d3b93c8fcf?source=cve
- https://plugins.trac.wordpress.org/browser/chatbot/trunk/includes/openai/qcld-bot-openai.php#L175
- https://plugins.trac.wordpress.org/changeset/3089461/chatbot/trunk/includes/openai/qcld-bot-openai.php
Affected or Relevant Artifacts
- Developer: quantumcloud
- Deployer: quantumcloud
- Artifact Details:
| Type | Name |
|---|---|
| System | AI ChatBot for WordPress – WPBot |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N |
| Base Score | 5.0 |
| Base Severity | 🟠 Medium |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-05-22
- Version: 0.3.3
- AVID Entry