AI Threat Alert

CVE-2024-0451: wpbot: missing auth exposes OpenAI account files

MEDIUM PoC AVAILABLE
Published May 22, 2024
CISO Take

Any subscriber-level WordPress user on sites running AI ChatBot plugin ≤5.3.4 can enumerate all files stored in the site's linked OpenAI account. Update the plugin immediately and rotate the associated OpenAI API key. Audit your OpenAI account for sensitive fine-tuning datasets, assistant knowledge files, or proprietary documents that may have been exposed.

What is the risk?

Medium CVSS (5.0) understates the real-world risk when the linked OpenAI account contains fine-tuning datasets or proprietary RAG documents. Exploitation requires only subscriber-level WordPress access — trivially obtained on sites with open registration. No user interaction or elevated privileges needed. The risk is highest for organizations using OpenAI Assistants API or fine-tuning workflows where uploaded files contain IP or PII.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
WPBot pip No patch

Do you use WPBot? You're affected.

How severe is it?

CVSS 3.1
5.0 / 10
EPSS
0.4%
chance of exploitation in 30 days
Higher than 30% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Changed
C Low
I None
A None

What should I do?

6 steps

  1. Update AI ChatBot plugin to the patched version (changeset 3089461 or later).

  2. Immediately rotate the OpenAI API key used by the plugin — file listing reveals account structure useful for targeted follow-on attacks.

  3. Audit files in the OpenAI account dashboard and remove sensitive or proprietary content.

  4. If patching is delayed, disable public WordPress user registration to limit subscriber-level access.

  5. Review WordPress user roles and revoke unnecessary accounts.

  6. Monitor OpenAI API usage logs for anomalous file-list calls originating from the plugin key.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass API Plugin AML.T0007 AML.T0012 AML.T0035 AML.T0040 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.1.3 - Information security controls for AI systems
NIST AI RMF
GOVERN 6.2 - Policies and procedures for third-party AI risks
OWASP LLM Top 10
LLM02 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2024-0451?

Any subscriber-level WordPress user on sites running AI ChatBot plugin ≤5.3.4 can enumerate all files stored in the site's linked OpenAI account. Update the plugin immediately and rotate the associated OpenAI API key. Audit your OpenAI account for sensitive fine-tuning datasets, assistant knowledge files, or proprietary documents that may have been exposed.

Is CVE-2024-0451 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-0451, increasing the risk of exploitation.

How to fix CVE-2024-0451?

1. Update AI ChatBot plugin to the patched version (changeset 3089461 or later). 2. Immediately rotate the OpenAI API key used by the plugin — file listing reveals account structure useful for targeted follow-on attacks. 3. Audit files in the OpenAI account dashboard and remove sensitive or proprietary content. 4. If patching is delayed, disable public WordPress user registration to limit subscriber-level access. 5. Review WordPress user roles and revoke unnecessary accounts. 6. Monitor OpenAI API usage logs for anomalous file-list calls originating from the plugin key.

What systems are affected by CVE-2024-0451?

This vulnerability affects the following AI/ML architecture patterns: WordPress AI plugin integrations, OpenAI Assistants API deployments, LLM fine-tuning pipelines, RAG knowledge base pipelines.

What is the CVSS score for CVE-2024-0451?

CVE-2024-0451 has a CVSS v3.1 base score of 5.0 (MEDIUM). The EPSS exploitation probability is 0.38%.

What is the AI security impact?

Affected AI Architectures

WordPress AI plugin integrationsOpenAI Assistants API deploymentsLLM fine-tuning pipelinesRAG knowledge base pipelines

MITRE ATLAS Techniques

AML.T0007 Discover AI Artifacts
AML.T0012 Valid Accounts
AML.T0035 AI Artifact Collection
AML.T0040 AI Model Inference API Access
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.1.3
NIST AI RMF: GOVERN 6.2
OWASP LLM Top 10: LLM02

What are the technical details?

Original Advisory

The AI ChatBot plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the openai_file_list_callback function in all versions up to, and including, 5.3.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to list files existing in a linked OpenAI account.

Exploitation Scenario

An attacker registers as a subscriber on a target WordPress site (or uses a compromised low-privilege account) and directly calls the plugin's openai_file_list_callback REST endpoint. The missing capability check allows the unauthenticated-equivalent call to pass through the plugin, which proxies the request to the OpenAI Files API using the site's stored API key. The attacker receives a full inventory of files in the organization's OpenAI account — including fine-tuning datasets and assistant knowledge documents — along with file IDs that can be used to retrieve file metadata or inform targeted exfiltration of the organization's AI intellectual property.

Weaknesses (CWE)

CWE-862 Missing Authorization Primary

CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

  • [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
  • [Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

References

Timeline

Published
May 22, 2024
Last Modified
May 12, 2025
First Seen
May 22, 2024

Related Vulnerabilities

HIGH CVE-2024-0453 7.7

WordPress ChatBot: missing authz deletes OpenAI files

Same package: wpbot
HIGH CVE-2024-0452 7.7

WordPress AI ChatBot: auth bypass enables OpenAI file upload

Same package: wpbot
HIGH CVE-2025-60223 7.7

WPBot Pro: subscriber file deletion → system DoS

Same package: wpbot
MEDIUM CVE-2023-1651 5.4

AI ChatBot WP: auth bypass exposes OpenAI config + XSS

Same package: wpbot
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Data Extraction
Back to Threat Feed