CVE-2024-0453 - Vulnerability Details - OpenCVE

The AI ChatBot plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the openai_file_delete_callback function in all versions up to, and including, 5.3.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete files from a linked OpenAI account.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Quantumcloud	Wpbot

Configuration 1 [-]

cpe:2.3:a:quantumcloud:wpbot:*:*:*:*:free:wordpress:*:*

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/chatbot/trunk/includes/openai/qcld-bot-openai.php#L133
https://plugins.trac.wordpress.org/changeset/3089461/chatbot/trunk/includes/openai/qcld-bot-openai.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/7e0ef4a5-42d7-4cea-b19f-51917e3ee55f?source=cve

History

Mon, 12 May 2025 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Quantumcloud Quantumcloud wpbot
Weaknesses		CWE-862
CPEs		cpe:2.3:a:quantumcloud:wpbot:::::free:wordpress::
Vendors & Products		Quantumcloud Quantumcloud wpbot

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-05-22T03:17:49.652Z

Updated: 2024-08-01T18:04:49.790Z

Reserved: 2024-01-12T00:09:45.986Z

Link: CVE-2024-0453

Vulnrichment

Updated: 2024-08-01T18:04:49.790Z

NVD

Status : Analyzed

Published: 2024-05-22T04:15:09.757

Modified: 2025-05-12T14:00:44.957

Link: CVE-2024-0453

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-0453", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-01-12T00:09:45.986Z", "datePublished": "2024-05-22T03:17:49.652Z", "dateUpdated": "2024-08-01T18:04:49.790Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-05-22T03:17:49.652Z"}, "affected": [{"vendor": "quantumcloud", "product": "AI ChatBot for WordPress \u2013 WPBot", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "5.3.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The AI ChatBot plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the openai_file_delete_callback function in all versions up to, and including, 5.3.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete files from a linked OpenAI account."}], "title": "AI ChatBot <= 5.3.4 - Missing Authorization via openai_file_delete_callback", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7e0ef4a5-42d7-4cea-b19f-51917e3ee55f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/chatbot/trunk/includes/openai/qcld-bot-openai.php#L133"}, {"url": "https://plugins.trac.wordpress.org/changeset/3089461/chatbot/trunk/includes/openai/qcld-bot-openai.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-284 Improper Access Control"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "baseScore": 5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Francesco Carlucci"}], "timeline": [{"time": "2024-05-21T00:00:00.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-0453", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-22T14:51:29.507851Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:59:21.856Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:04:49.790Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7e0ef4a5-42d7-4cea-b19f-51917e3ee55f?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/chatbot/trunk/includes/openai/qcld-bot-openai.php#L133", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset/3089461/chatbot/trunk/includes/openai/qcld-bot-openai.php", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7e0ef4a5-42d7-4cea-b19f-51917e3ee55f?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/chatbot/trunk/includes/openai/qcld-bot-openai.php#L133", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset/3089461/chatbot/trunk/includes/openai/qcld-bot-openai.php", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:04:49.790Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-0453", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-22T14:51:29.507851Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-22T14:51:34.289Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "AI ChatBot <= 5.3.4 - Missing Authorization via openai_file_delete_callback", "credits": [{"lang": "en", "type": "finder", "value": "Francesco Carlucci"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N"}}], "affected": [{"vendor": "quantumcloud", "product": "AI ChatBot for WordPress \u2013 WPBot", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "5.3.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-05-21T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7e0ef4a5-42d7-4cea-b19f-51917e3ee55f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/chatbot/trunk/includes/openai/qcld-bot-openai.php#L133"}, {"url": "https://plugins.trac.wordpress.org/changeset/3089461/chatbot/trunk/includes/openai/qcld-bot-openai.php"}], "descriptions": [{"lang": "en", "value": "The AI ChatBot plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the openai_file_delete_callback function in all versions up to, and including, 5.3.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete files from a linked OpenAI account."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-05-22T03:17:49.652Z"}}}, "cveMetadata": {"cveId": "CVE-2024-0453", "state": "PUBLISHED", "dateUpdated": "2024-08-01T18:04:49.790Z", "dateReserved": "2024-01-12T00:09:45.986Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2024-05-22T03:17:49.652Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:quantumcloud:wpbot:*:*:*:*:free:wordpress:*:*", "matchCriteriaId": "9586BB2C-7F76-47E5-89EF-7BE825ED9410", "versionEndExcluding": "5.3.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The AI ChatBot plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the openai_file_delete_callback function in all versions up to, and including, 5.3.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete files from a linked OpenAI account."}, {"lang": "es", "value": "El complemento AI ChatBot para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n openai_file_delete_callback en todas las versiones hasta la 5.3.4 incluida. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, eliminen archivos de una cuenta OpenAI vinculada."}], "id": "CVE-2024-0453", "lastModified": "2025-05-12T14:00:44.957", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "[email protected]", "type": "Primary"}]}, "published": "2024-05-22T04:15:09.757", "references": [{"source": "[email protected]", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/chatbot/trunk/includes/openai/qcld-bot-openai.php#L133"}, {"source": "[email protected]", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3089461/chatbot/trunk/includes/openai/qcld-bot-openai.php"}, {"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7e0ef4a5-42d7-4cea-b19f-51917e3ee55f?source=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/chatbot/trunk/includes/openai/qcld-bot-openai.php#L133"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3089461/chatbot/trunk/includes/openai/qcld-bot-openai.php"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7e0ef4a5-42d7-4cea-b19f-51917e3ee55f?source=cve"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "[email protected]", "type": "Primary"}]}