Lucene search

WPScanVULNRICHMENT:CVE-2024-6845

HistorySep 25, 2024 - 6:00 a.m.

CVE-2024-6845 SmartSearchWP < 2.4.6 - Unauthenticated OpenAI Key Disclosure

2024-09-2506:00:04

WPScan

github.com

smartsearchwp

openai

key disclosure

chatgpt

wordpress

plugin

AI Score

6.9

Confidence

High

EPSS

Percentile

9.6%

SSVC

Exploitation

poc

Automatable

yes

Technical Impact

partial

JSON

The Chatbot with ChatGPT WordPress plugin before 2.4.6 does not have proper authorization in one of its REST endpoint, allowing unauthenticated users to retrieve the encoded key and then decode it, thereby leaking the OpenAI API key

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:smartsearchwp:chatbot_with_chatgpt_wordpress:*:*:*:*:*:*:*:*"
    ],
    "vendor": "smartsearchwp",
    "product": "chatbot_with_chatgpt_wordpress",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "2.4.6",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

wpscan.com/vulnerability/cfaaa843-d89e-42d4-90d9-988293499d26/