CVE-2024-7714 – AI Assistant with ChatGPT by AYS <= 2.0.9 - Unauthenticated AJAX Calls
https://notcve.org/view.php?id=CVE-2024-7714
The AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0 lacks sufficient access controls allowing an unauthenticated user to disconnect the AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0 from OpenAI, thereby disabling the AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0. Multiple actions are accessible: 'ays_chatgpt_disconnect', 'ays_chatgpt_connect', and 'ays_chatgpt_save_feedback' The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions like 'ays_chatgpt_disconnect' hooked via an AJAX action ays_chatgpt_admin_ajax in versions up to, and including, 2.0.9. This makes it possible for unauthenticated attackers to to perform unauthorized actions like disconnecting the plugin. • https://wpscan.com/vulnerability/04447c76-a61b-4091-a510-c76fc8ca5664 • CWE-862: Missing Authorization •
CVE-2024-7713 – AI Chatbot with ChatGPT by AYS <= 2.0.9 - Unauthenticated OpenAI Key Disclosure
https://notcve.org/view.php?id=CVE-2024-7713
The AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0 discloses the Open AI API Key, allowing unauthenticated users to obtain it The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.9 via the ays_chatgpt_admin_ajax AJAX action. This makes it possible for unauthenticated attackers to retrieve the OpenAI key connected to the site. • https://wpscan.com/vulnerability/061eab97-4a84-4738-a1e8-ef9a1261ff73 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •