CVE-2024-6845: chatbot_with_chatgpt OpenAI API key

CISO Take

Any WordPress site running 'Chatbot with ChatGPT' before v2.4.6 is leaking its OpenAI API key to unauthenticated attackers — the encoding is trivially reversible. Update to 2.4.6+ immediately and rotate the API key, treating it as fully compromised. Monitor OpenAI API usage logs for anomalous spend or unauthorized requests before and after patching.

What is the risk?

CVSS 5.3 understates operational risk. The attack is zero-friction: no authentication, no user interaction, network-accessible, low complexity. The leaked API key enables financial harm via API cost abuse, unauthorized access to AI-generated content at the victim's expense, and potential exposure of conversation history. WordPress plugins with embedded AI credentials represent a rapidly growing and poorly-audited attack surface for LLM API key theft.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
chatbot_with_chatgpt	—	—	No patch

Do you use chatbot_with_chatgpt? You're affected.

How severe is it?

CVSS 3.1

5.3 / 10

EPSS

1.1%

chance of exploitation in 30 days

Higher than 61% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

○ Nuclei detection template available

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C Low

I None

A None

What should I do?

6 steps

Update plugin to v2.4.6+ immediately — this is the only full remediation.
Rotate the OpenAI API key unconditionally — treat as compromised regardless of observed exploitation.
Set API spend limits and budget alerts in the OpenAI dashboard to cap financial exposure.
Audit OpenAI API usage logs for the period the vulnerable plugin was active.
Scan all WordPress instances in the environment for this plugin version via WPScan or equivalent.
Establish a policy requiring security review before deploying plugins that store third-party AI API credentials.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass API Plugin AML.T0034 - Cost Harvesting AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0091.000 - Application Access Token

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.5 - Access control for AI systems

NIST AI RMF

GOVERN-6.1 - Policies for AI risk management across the organization

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2024-6845?

Any WordPress site running 'Chatbot with ChatGPT' before v2.4.6 is leaking its OpenAI API key to unauthenticated attackers — the encoding is trivially reversible. Update to 2.4.6+ immediately and rotate the API key, treating it as fully compromised. Monitor OpenAI API usage logs for anomalous spend or unauthorized requests before and after patching.

Is CVE-2024-6845 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-6845, increasing the risk of exploitation.

How to fix CVE-2024-6845?

1. Update plugin to v2.4.6+ immediately — this is the only full remediation. 2. Rotate the OpenAI API key unconditionally — treat as compromised regardless of observed exploitation. 3. Set API spend limits and budget alerts in the OpenAI dashboard to cap financial exposure. 4. Audit OpenAI API usage logs for the period the vulnerable plugin was active. 5. Scan all WordPress instances in the environment for this plugin version via WPScan or equivalent. 6. Establish a policy requiring security review before deploying plugins that store third-party AI API credentials.

What systems are affected by CVE-2024-6845?

This vulnerability affects the following AI/ML architecture patterns: WordPress AI chatbot deployments, LLM API integrations, plugin-based AI implementations, SaaS-embedded AI features via third-party plugins.

What is the CVSS score for CVE-2024-6845?

CVE-2024-6845 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 1.08%.

What is the AI security impact?

Affected AI Architectures

WordPress AI chatbot deploymentsLLM API integrationsplugin-based AI implementationsSaaS-embedded AI features via third-party plugins

MITRE ATLAS Techniques

AML.T0034 Cost Harvesting

AML.T0040 AI Model Inference API Access

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

AML.T0091.000 Application Access Token

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.6.2.5

NIST AI RMF: GOVERN-6.1

OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

The Chatbot with ChatGPT WordPress plugin before 2.4.6 does not have proper authorization in one of its REST endpoint, allowing unauthenticated users to retrieve the encoded key and then decode it, thereby leaking the OpenAI API key

Exploitation Scenario

An attacker enumerates WordPress sites via WPScan, Shodan, or targeted Google dorking, identifying installations running the vulnerable plugin version. They call the exposed REST endpoint without credentials, receive the encoded OpenAI API key in the HTTP response, and decode it in seconds (trivial encoding such as base64). With valid OpenAI credentials in hand, the attacker runs unlimited API queries at the victim's expense, probes for stored conversation data, or lists the key on underground markets. No AI or ML knowledge is required — this is a standard web exploitation path accessible to commodity threat actors.

Weaknesses (CWE)

CWE-862 Missing Authorization Primary

CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

[Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
[Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.