CVE-2023-1651 — MEDIUM (CVSS 5.4) AI Security Vulnerability

CISO Take

Any authenticated WordPress user (subscriber-level) can overwrite your OpenAI API settings—redirecting LLM traffic, exhausting API quotas, or swapping in a malicious endpoint—and simultaneously plant stored XSS that fires when an admin opens the plugin settings. Patch to AI ChatBot 4.4.9+ immediately and rotate your OpenAI API key as a precaution. If your site allows open user registration, disable it or audit subscriber accounts now.

Risk Assessment

Rated medium by CVSS, but practical exploitability is higher than the score suggests: subscriber accounts are often trivially obtained on WordPress sites with open registration. The dual impact—API key hijack plus persistent XSS—creates a compounded risk where an attacker can both abuse your AI infrastructure costs and escalate to admin session theft. No active exploitation reported, but the exploit surface is wide given WordPress's market share among SMB deployments.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
wpbot	pip	—	No patch

Do you use wpbot? You're affected.

Severity & Risk

CVSS 3.1

5.4 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 33% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI Required

S Changed

C Low

I Low

A None

Recommended Action

6 steps

PATCH

Upgrade AI ChatBot plugin to version 4.4.9 or later—this is the only full fix.
ROTATE

Revoke and regenerate the OpenAI API key immediately, especially if site has registered users you don't control.
AUDIT

Review WordPress user accounts; disable open registration if not operationally required.
DETECT

Check server logs for unauthorized POST requests to wp-admin/admin-ajax.php targeting this plugin's AJAX action.
HARDEN

Review Content-Security-Policy headers on the WP admin panel to limit XSS blast radius.
MONITOR

Set billing alerts on your OpenAI account to detect anomalous API usage patterns.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Data Leakage Code Execution Plugin API AML.T0012 - Valid Accounts AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0096 - AI Service API

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.9 - Risk management system

ISO 42001

A.6.1.2 - AI system access control A.9.4 - Secure AI system operation

NIST AI RMF

PROTECT-2.2 - AI system security and resilience

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2023-1651?

Any authenticated WordPress user (subscriber-level) can overwrite your OpenAI API settings—redirecting LLM traffic, exhausting API quotas, or swapping in a malicious endpoint—and simultaneously plant stored XSS that fires when an admin opens the plugin settings. Patch to AI ChatBot 4.4.9+ immediately and rotate your OpenAI API key as a precaution. If your site allows open user registration, disable it or audit subscriber accounts now.

Is CVE-2023-1651 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-1651, increasing the risk of exploitation.

How to fix CVE-2023-1651?

1. PATCH: Upgrade AI ChatBot plugin to version 4.4.9 or later—this is the only full fix. 2. ROTATE: Revoke and regenerate the OpenAI API key immediately, especially if site has registered users you don't control. 3. AUDIT: Review WordPress user accounts; disable open registration if not operationally required. 4. DETECT: Check server logs for unauthorized POST requests to wp-admin/admin-ajax.php targeting this plugin's AJAX action. 5. HARDEN: Review Content-Security-Policy headers on the WP admin panel to limit XSS blast radius. 6. MONITOR: Set billing alerts on your OpenAI account to detect anomalous API usage patterns.

What systems are affected by CVE-2023-1651?

This vulnerability affects the following AI/ML architecture patterns: WordPress-based LLM chatbot deployments, Third-party LLM API integrations (OpenAI), AI plugin ecosystems.

What is the CVSS score for CVE-2023-1651?

CVE-2023-1651 has a CVSS v3.1 base score of 5.4 (MEDIUM). The EPSS exploitation probability is 0.14%.

Technical Details

NVD Description

The AI ChatBot WordPress plugin before 4.4.9 does not have authorisation and CSRF in the AJAX action responsible to update the OpenAI settings, allowing any authenticated users, such as subscriber to update them. Furthermore, due to the lack of escaping of the settings, this could also lead to Stored XSS

Exploitation Scenario

An attacker creates or compromises a subscriber account on a WordPress site running the vulnerable plugin. They issue a crafted AJAX POST to wp-admin/admin-ajax.php, exploiting the missing authorization check to replace the OpenAI API key with their own—routing all chatbot queries through attacker infrastructure and capturing user conversations. In the same request, they inject a stored XSS payload (e.g., a cookie-stealing script) into an unescaped settings field. When the WordPress admin next opens the AI ChatBot settings page, the payload executes in their browser, exfiltrating the admin session token. The attacker now has full WordPress access, the original API key, and a log of intercepted user conversations.