We use cookies to improve your experience on our site.
AVID-2026-R1592
Description
SmartSearchWP < 2.4.6 - Unauthenticated OpenAI Key Disclosure (CVE-2024-6845)
Details
The Chatbot with ChatGPT WordPress plugin before 2.4.6 does not have proper authorization in one of its REST endpoint, allowing unauthenticated users to retrieve the encoded key and then decode it, thereby leaking the OpenAI API key
Reason for inclusion in AVID: CVE-2024-6845 describes an unauthenticated disclosure of an OpenAI API key via a WordPress plugin, enabling retrieval and decoding of the key. This concerns a software component used to enable AI functionality (OpenAI API integration) and represents a security vulnerability in a component of the AI software supply chain (AI tooling/deployment pipeline). The issue is relevant to AI systems and their deployment stack, not hardware/firmware-only.
References
Affected or Relevant Artifacts
- Developer: OpenAI
- Deployer: OpenAI
- Artifact Details:
| Type | Name |
|---|---|
| System | Chatbot with ChatGPT WordPress |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-09-25
- Version: 0.3.3
- AVID Entry