CVE-2024-0452: WPBot auth bypass enables OpenAI file

CISO Take

Any authenticated WordPress subscriber can upload arbitrary files to your linked OpenAI account — this bypasses your OpenAI access controls entirely via a missing capability check in the plugin. Update wpbot to 5.3.5+ immediately and rotate your OpenAI API key. Audit your OpenAI Files API storage for unauthorized uploads and monitor for unexpected API cost spikes.

What is the risk?

High severity (CVSS 7.7, Scope:Changed). Exploitability is trivial: any registered WordPress user (subscriber role, the lowest privilege level) can trigger this with a single authenticated request — no special skills required. The blast radius extends beyond the WordPress install itself to the connected OpenAI account, meaning the real asset at risk is your OpenAI API key and associated billing/data. Sites with open user registration are immediately exposed.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
WPBot	pip	—	No patch

Do you use WPBot? You're affected.

How severe is it?

CVSS 3.1

7.7 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 28% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Changed

C None

I High

A None

What should I do?

6 steps

Patch: Update the AI ChatBot plugin to version 5.3.5 or later immediately via WordPress admin panel.
Rotate credentials: Revoke and regenerate the OpenAI API key associated with this WordPress installation.
Audit: Review files in your OpenAI account (platform.openai.com > Storage > Files) for unauthorized uploads; delete any suspicious entries.
Monitor: Set up OpenAI usage alerts to detect unexpected cost spikes or API call anomalies.
Workaround (if patching is delayed): Disable user registration on the WordPress site or restrict the OpenAI API key to minimum required permissions via OpenAI's key scoping.
Detect: Review WordPress access logs for POST requests to the openai_file_upload_callback endpoint from low-privilege user sessions.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Data Leakage Model Poisoning API Plugin AML.T0012 - Valid Accounts AML.T0020 - Poison Training Data AML.T0034 - Cost Harvesting AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.9.2 - Access control to AI systems and tools

NIST AI RMF

GOVERN 1.7 - Organizational practices and policies for AI risk management

OWASP LLM Top 10

LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2024-0452?

Any authenticated WordPress subscriber can upload arbitrary files to your linked OpenAI account — this bypasses your OpenAI access controls entirely via a missing capability check in the plugin. Update wpbot to 5.3.5+ immediately and rotate your OpenAI API key. Audit your OpenAI Files API storage for unauthorized uploads and monitor for unexpected API cost spikes.

Is CVE-2024-0452 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-0452, increasing the risk of exploitation.

How to fix CVE-2024-0452?

1. Patch: Update the AI ChatBot plugin to version 5.3.5 or later immediately via WordPress admin panel. 2. Rotate credentials: Revoke and regenerate the OpenAI API key associated with this WordPress installation. 3. Audit: Review files in your OpenAI account (platform.openai.com > Storage > Files) for unauthorized uploads; delete any suspicious entries. 4. Monitor: Set up OpenAI usage alerts to detect unexpected cost spikes or API call anomalies. 5. Workaround (if patching is delayed): Disable user registration on the WordPress site or restrict the OpenAI API key to minimum required permissions via OpenAI's key scoping. 6. Detect: Review WordPress access logs for POST requests to the `openai_file_upload_callback` endpoint from low-privilege user sessions.

What systems are affected by CVE-2024-0452?

This vulnerability affects the following AI/ML architecture patterns: WordPress AI plugin integrations, LLM API-connected web applications, OpenAI fine-tuning pipelines, Shared LLM API accounts across multi-tenant apps.

What is the CVSS score for CVE-2024-0452?

CVE-2024-0452 has a CVSS v3.1 base score of 7.7 (HIGH). The EPSS exploitation probability is 0.36%.

What is the AI security impact?

Affected AI Architectures

WordPress AI plugin integrationsLLM API-connected web applicationsOpenAI fine-tuning pipelinesShared LLM API accounts across multi-tenant apps

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0020 Poison Training Data

AML.T0034 Cost Harvesting

AML.T0040 AI Model Inference API Access

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.9.2

NIST AI RMF: GOVERN 1.7

OWASP LLM Top 10: LLM07, LLM08

What are the technical details?

Original Advisory

The AI ChatBot plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the openai_file_upload_callback function in all versions up to, and including, 5.3.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload files to a linked OpenAI account.

Exploitation Scenario

An adversary registers a free subscriber account on a WordPress site running the vulnerable AI ChatBot plugin. They then send an authenticated POST request to the `openai_file_upload_callback` endpoint, attaching a crafted file (e.g., a poisoned JSONL fine-tuning dataset or a large binary to inflate costs). The file is uploaded directly to the site owner's OpenAI account without any capability verification. In a targeted attack, the adversary could upload a malicious fine-tuning dataset designed to backdoor or degrade the model if the site owner later uses those files for fine-tuning. In an opportunistic attack, they upload large files repeatedly to inflate the victim's OpenAI API costs.

Weaknesses (CWE)

CWE-862 Missing Authorization Primary

CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

[Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
[Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.