AI Threat Alert

CVE-2023-1651: AI ChatBot WP: auth bypass exposes OpenAI config + XSS

MEDIUM PoC AVAILABLE CISA: TRACK*
Published May 8, 2023
CISO Take

Any authenticated WordPress user (subscriber-level) can overwrite your OpenAI API settings—redirecting LLM traffic, exhausting API quotas, or swapping in a malicious endpoint—and simultaneously plant stored XSS that fires when an admin opens the plugin settings. Patch to AI ChatBot 4.4.9+ immediately and rotate your OpenAI API key as a precaution. If your site allows open user registration, disable it or audit subscriber accounts now.

What is the risk?

Rated medium by CVSS, but practical exploitability is higher than the score suggests: subscriber accounts are often trivially obtained on WordPress sites with open registration. The dual impact—API key hijack plus persistent XSS—creates a compounded risk where an attacker can both abuse your AI infrastructure costs and escalate to admin session theft. No active exploitation reported, but the exploit surface is wide given WordPress's market share among SMB deployments.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
WPBot pip No patch

Do you use WPBot? You're affected.

How severe is it?

CVSS 3.1
5.4 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 15% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI Required
S Changed
C Low
I Low
A None

What should I do?

6 steps

  1. PATCH

    Upgrade AI ChatBot plugin to version 4.4.9 or later—this is the only full fix.

  2. ROTATE

    Revoke and regenerate the OpenAI API key immediately, especially if site has registered users you don't control.

  3. AUDIT

    Review WordPress user accounts; disable open registration if not operationally required.

  4. DETECT

    Check server logs for unauthorized POST requests to wp-admin/admin-ajax.php targeting this plugin's AJAX action.

  5. HARDEN

    Review Content-Security-Policy headers on the WP admin panel to limit XSS blast radius.

  6. MONITOR

    Set billing alerts on your OpenAI account to detect anomalous API usage patterns.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Data Leakage Code Execution Plugin API AML.T0012 AML.T0040 AML.T0049 AML.T0055 AML.T0096

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art.9 - Risk management system
ISO 42001
A.6.1.2 - AI system access control A.9.4 - Secure AI system operation
NIST AI RMF
PROTECT-2.2 - AI system security and resilience
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2023-1651?

Any authenticated WordPress user (subscriber-level) can overwrite your OpenAI API settings—redirecting LLM traffic, exhausting API quotas, or swapping in a malicious endpoint—and simultaneously plant stored XSS that fires when an admin opens the plugin settings. Patch to AI ChatBot 4.4.9+ immediately and rotate your OpenAI API key as a precaution. If your site allows open user registration, disable it or audit subscriber accounts now.

Is CVE-2023-1651 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-1651, increasing the risk of exploitation.

How to fix CVE-2023-1651?

1. PATCH: Upgrade AI ChatBot plugin to version 4.4.9 or later—this is the only full fix. 2. ROTATE: Revoke and regenerate the OpenAI API key immediately, especially if site has registered users you don't control. 3. AUDIT: Review WordPress user accounts; disable open registration if not operationally required. 4. DETECT: Check server logs for unauthorized POST requests to wp-admin/admin-ajax.php targeting this plugin's AJAX action. 5. HARDEN: Review Content-Security-Policy headers on the WP admin panel to limit XSS blast radius. 6. MONITOR: Set billing alerts on your OpenAI account to detect anomalous API usage patterns.

What systems are affected by CVE-2023-1651?

This vulnerability affects the following AI/ML architecture patterns: WordPress-based LLM chatbot deployments, Third-party LLM API integrations (OpenAI), AI plugin ecosystems.

What is the CVSS score for CVE-2023-1651?

CVE-2023-1651 has a CVSS v3.1 base score of 5.4 (MEDIUM). The EPSS exploitation probability is 0.24%.

What is the AI security impact?

Affected AI Architectures

WordPress-based LLM chatbot deploymentsThird-party LLM API integrations (OpenAI)AI plugin ecosystems

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0040 AI Model Inference API Access
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials
AML.T0096 AI Service API

Compliance Controls Affected

EU AI Act: Art.9
ISO 42001: A.6.1.2, A.9.4
NIST AI RMF: PROTECT-2.2
OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

The AI ChatBot WordPress plugin before 4.4.9 does not have authorisation and CSRF in the AJAX action responsible to update the OpenAI settings, allowing any authenticated users, such as subscriber to update them. Furthermore, due to the lack of escaping of the settings, this could also lead to Stored XSS

Exploitation Scenario

An attacker creates or compromises a subscriber account on a WordPress site running the vulnerable plugin. They issue a crafted AJAX POST to wp-admin/admin-ajax.php, exploiting the missing authorization check to replace the OpenAI API key with their own—routing all chatbot queries through attacker infrastructure and capturing user conversations. In the same request, they inject a stored XSS payload (e.g., a cookie-stealing script) into an unescaped settings field. When the WordPress admin next opens the AI ChatBot settings page, the payload executes in their browser, exfiltrating the admin session token. The attacker now has full WordPress access, the original API key, and a log of intercepted user conversations.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References

Timeline

Published
May 8, 2023
Last Modified
May 12, 2025
First Seen
May 8, 2023

Related Vulnerabilities

HIGH CVE-2025-60223 7.7

WPBot Pro: subscriber file deletion → system DoS

Same package: wpbot
HIGH CVE-2024-0453 7.7

WordPress ChatBot: missing authz deletes OpenAI files

Same package: wpbot
HIGH CVE-2024-0452 7.7

WordPress AI ChatBot: auth bypass enables OpenAI file upload

Same package: wpbot
MEDIUM CVE-2024-0451 5.0

wpbot: missing auth exposes OpenAI account files

Same package: wpbot
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Auth Bypass
Back to Threat Feed