We use cookies to improve your experience on our site.
AVID-2026-R1354
Description
AI ChatBot <= 5.3.4 - Missing Authorization via openai_file_delete_callback (CVE-2024-0453)
Details
The AI ChatBot plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the openai_file_delete_callback function in all versions up to, and including, 5.3.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete files from a linked OpenAI account.
Reason for inclusion in AVID: CVE-2024-0453 describes an authorization bypass in the AI ChatBot WordPress plugin that allows authenticated users to delete files from a linked OpenAI account. This is a vulnerability in a third-party component used to deploy AI chat capabilities, i.e., a software supply-chain component in AI deployments. It concerns AI-related software and constitutes a security vulnerability (data integrity/privilege escalation). The report provides sufficient signals (affected versions, impact, and references) to support curation.
References
- NVD entry
- https://www.wordfence.com/threat-intel/vulnerabilities/id/7e0ef4a5-42d7-4cea-b19f-51917e3ee55f?source=cve
- https://plugins.trac.wordpress.org/browser/chatbot/trunk/includes/openai/qcld-bot-openai.php#L133
- https://plugins.trac.wordpress.org/changeset/3089461/chatbot/trunk/includes/openai/qcld-bot-openai.php
Affected or Relevant Artifacts
- Developer: quantumcloud
- Deployer: quantumcloud
- Artifact Details:
| Type | Name |
|---|---|
| System | AI ChatBot for WordPress – WPBot |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N |
| Base Score | 5.0 |
| Base Severity | 🟠 Medium |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-05-22
- Version: 0.3.3
- AVID Entry