AI Threat Alert

CVE-2024-0453: WordPress ChatBot: missing authz deletes OpenAI files

HIGH
Published May 22, 2024
CISO Take

Any subscriber-level WordPress user can delete files from your organization's linked OpenAI account — including fine-tuned models and assistant training data. Patch to 5.3.5+ immediately or disable the plugin. Rotate the OpenAI API key and audit what files were deleted in your OpenAI account dashboard.

What is the risk?

High risk for organizations using the WordPress AI ChatBot plugin with a connected OpenAI account. Exploitation requires only a subscriber account (trivially obtained on many WordPress sites), no complex attack chains, and the impact extends beyond the WordPress perimeter into the OpenAI account itself. The scope change (CVSS S:C) reflects this cross-boundary blast radius. Not in CISA KEV and no confirmed active exploitation, but the low barrier makes opportunistic abuse realistic.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
WPBot pip No patch

Do you use WPBot? You're affected.

How severe is it?

CVSS 3.1
7.7 / 10
EPSS
0.4%
chance of exploitation in 30 days
Higher than 28% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Changed
C None
I High
A None

What should I do?

5 steps

  1. Patch immediately

    Update WordPress AI ChatBot plugin to 5.3.5 or later — the patch adds proper capability checks to openai_file_delete_callback.

  2. Rotate OpenAI API key

    Treat the existing key as potentially abused; generate a new one with least-privilege scopes (restrict to only needed endpoints).

  3. Audit OpenAI account

    Review Files API logs in the OpenAI dashboard for unexpected deletions. Restore from backups if fine-tuned models or assistant files are missing.

  4. Scope API keys

    Going forward, never use a full-access OpenAI API key in WordPress plugins — use scoped keys that only allow required operations.

  5. Detection

    Monitor OpenAI API key usage via organization audit logs; alert on bulk file deletions from unexpected sources.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Data Extraction API Plugin AML.T0012 AML.T0040 AML.T0049 AML.T0101

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk Management System
ISO 42001
A.8.3 - Data Governance and Access Controls
NIST AI RMF
GOVERN 1.7 - AI Risk and Trustworthiness — Access Control Policies
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2024-0453?

Any subscriber-level WordPress user can delete files from your organization's linked OpenAI account — including fine-tuned models and assistant training data. Patch to 5.3.5+ immediately or disable the plugin. Rotate the OpenAI API key and audit what files were deleted in your OpenAI account dashboard.

Is CVE-2024-0453 actively exploited?

No confirmed active exploitation of CVE-2024-0453 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-0453?

1. **Patch immediately**: Update WordPress AI ChatBot plugin to 5.3.5 or later — the patch adds proper capability checks to openai_file_delete_callback. 2. **Rotate OpenAI API key**: Treat the existing key as potentially abused; generate a new one with least-privilege scopes (restrict to only needed endpoints). 3. **Audit OpenAI account**: Review Files API logs in the OpenAI dashboard for unexpected deletions. Restore from backups if fine-tuned models or assistant files are missing. 4. **Scope API keys**: Going forward, never use a full-access OpenAI API key in WordPress plugins — use scoped keys that only allow required operations. 5. **Detection**: Monitor OpenAI API key usage via organization audit logs; alert on bulk file deletions from unexpected sources.

What systems are affected by CVE-2024-0453?

This vulnerability affects the following AI/ML architecture patterns: WordPress-integrated LLM deployments, OpenAI Assistants API integrations, Fine-tuned model pipelines, RAG pipelines using OpenAI Files API, Plugin-based AI agent frameworks.

What is the CVSS score for CVE-2024-0453?

CVE-2024-0453 has a CVSS v3.1 base score of 7.7 (HIGH). The EPSS exploitation probability is 0.36%.

What is the AI security impact?

Affected AI Architectures

WordPress-integrated LLM deploymentsOpenAI Assistants API integrationsFine-tuned model pipelinesRAG pipelines using OpenAI Files APIPlugin-based AI agent frameworks

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0040 AI Model Inference API Access
AML.T0049 Exploit Public-Facing Application
AML.T0101 Data Destruction via AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: A.8.3
NIST AI RMF: GOVERN 1.7
OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

The AI ChatBot plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the openai_file_delete_callback function in all versions up to, and including, 5.3.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete files from a linked OpenAI account.

Exploitation Scenario

An attacker registers or compromises a subscriber account on a WordPress site using the vulnerable plugin. They then send a crafted authenticated HTTP request to the openai_file_delete_callback endpoint, passing a target OpenAI file_id. Because no capability check validates that the user should have administrative rights over the OpenAI integration, the request is processed and the file is permanently deleted from the organization's OpenAI account. A targeted attacker could enumerate and delete all files — destroying custom assistant knowledge bases, fine-tuned model training data, and RAG document stores — potentially taking down AI-powered features organization-wide. The entire attack requires only a valid subscriber session cookie and knowledge of the endpoint.

Weaknesses (CWE)

CWE-862 Missing Authorization Primary

CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

  • [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
  • [Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

References

Timeline

Published
May 22, 2024
Last Modified
May 12, 2025
First Seen
May 22, 2024

Related Vulnerabilities

HIGH CVE-2025-60223 7.7

WPBot Pro: subscriber file deletion → system DoS

Same package: wpbot
HIGH CVE-2024-0452 7.7

WordPress AI ChatBot: auth bypass enables OpenAI file upload

Same package: wpbot
MEDIUM CVE-2023-1651 5.4

AI ChatBot WP: auth bypass exposes OpenAI config + XSS

Same package: wpbot
MEDIUM CVE-2024-0451 5.0

wpbot: missing auth exposes OpenAI account files

Same package: wpbot
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Data Extraction
Back to Threat Feed