AI Threat Alert

CVE-2024-7714: AYS ChatGPT WP Plugin: auth bypass disables AI service

HIGH PoC AVAILABLE NUCLEI TEMPLATE CISA: TRACK*
Published September 27, 2024
CISO Take

Any unauthenticated user can disconnect your WordPress AI chatbot from OpenAI or reconnect it with arbitrary credentials, effectively hijacking or killing the service. If you run this plugin on any customer-facing WordPress site, patch to 2.1.0 immediately — no authentication required to exploit means automated scanners will find and abuse this within hours of deployment. The 'connect' action is the more dangerous of the three: an attacker may substitute their own OpenAI API key, redirecting all conversations and potentially exfiltrating user queries.

What is the risk?

High exploitability: network-accessible, no authentication, no user interaction, low complexity — trivially scriptable. The CVSS integrity score is High because the 'connect' action can redirect the AI service to attacker-controlled credentials. Real-world exposure is scoped to WordPress sites using this specific plugin, limiting blast radius, but the simplicity of exploitation compensates. Not in CISA KEV and no public exploit PoC confirmed, but the attack surface is fully exposed via standard WordPress AJAX endpoints.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
chatgpt_assistant No patch

Do you use chatgpt_assistant? You're affected.

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
0.8%
chance of exploitation in 30 days
Higher than 53% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Nuclei detection template available
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I High
A None

What should I do?

5 steps

  1. Patch immediately: update to AYS AI ChatBot plugin version 2.1.0 or later.

  2. Verify your OpenAI API key was not replaced: check plugin settings and rotate your OpenAI API key regardless — treat it as potentially compromised if this plugin was exposed pre-patch.

  3. Review WordPress access logs for POST requests to wp-admin/admin-ajax.php with action=ays_chatgpt_disconnect, ays_chatgpt_connect, or ays_chatgpt_save_feedback from unauthenticated sessions.

  4. If patching is not immediately possible, block unauthenticated AJAX requests to these action handlers via WAF rules.

  5. Enable WordPress plugin auto-updates for security releases.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Data Leakage DoS Plugin API AML.T0029 AML.T0040 AML.T0049 AML.T0096

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 9 - Risk management system
ISO 42001
8.4 - AI system security
NIST AI RMF
GOVERN-6.1 - Policies and procedures for AI risk management MANAGE-2.2 - Mechanisms to sustain AI system trustworthiness
OWASP LLM Top 10
LLM07:2025 - System Prompt Leakage / Insecure Plugin Design

Frequently Asked Questions

What is CVE-2024-7714?

Any unauthenticated user can disconnect your WordPress AI chatbot from OpenAI or reconnect it with arbitrary credentials, effectively hijacking or killing the service. If you run this plugin on any customer-facing WordPress site, patch to 2.1.0 immediately — no authentication required to exploit means automated scanners will find and abuse this within hours of deployment. The 'connect' action is the more dangerous of the three: an attacker may substitute their own OpenAI API key, redirecting all conversations and potentially exfiltrating user queries.

Is CVE-2024-7714 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-7714, increasing the risk of exploitation.

How to fix CVE-2024-7714?

1. Patch immediately: update to AYS AI ChatBot plugin version 2.1.0 or later. 2. Verify your OpenAI API key was not replaced: check plugin settings and rotate your OpenAI API key regardless — treat it as potentially compromised if this plugin was exposed pre-patch. 3. Review WordPress access logs for POST requests to wp-admin/admin-ajax.php with action=ays_chatgpt_disconnect, ays_chatgpt_connect, or ays_chatgpt_save_feedback from unauthenticated sessions. 4. If patching is not immediately possible, block unauthenticated AJAX requests to these action handlers via WAF rules. 5. Enable WordPress plugin auto-updates for security releases.

What systems are affected by CVE-2024-7714?

This vulnerability affects the following AI/ML architecture patterns: plugin, api, inference.

What is the CVSS score for CVE-2024-7714?

CVE-2024-7714 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.83%.

What is the AI security impact?

Affected AI Architectures

pluginapiinference

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service
AML.T0040 AI Model Inference API Access
AML.T0049 Exploit Public-Facing Application
AML.T0096 AI Service API

Compliance Controls Affected

EU AI Act: Art. 9
ISO 42001: 8.4
NIST AI RMF: GOVERN-6.1, MANAGE-2.2
OWASP LLM Top 10: LLM07:2025

What are the technical details?

Original Advisory

The AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0 lacks sufficient access controls allowing an unauthenticated user to disconnect the AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0 from OpenAI, thereby disabling the AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0. Multiple actions are accessible: 'ays_chatgpt_disconnect', 'ays_chatgpt_connect', and 'ays_chatgpt_save_feedback'

Exploitation Scenario

An adversary scanning for WordPress sites with exposed AJAX endpoints identifies a target running the vulnerable AYS ChatBot plugin via HTTP fingerprinting. With a single unauthenticated POST to wp-admin/admin-ajax.php with action=ays_chatgpt_connect and a payload containing the attacker's own OpenAI API key, the adversary hijacks the AI service. All subsequent user conversations are now routed through the attacker's API key — enabling full conversation interception without any presence on the server. Simultaneously, the attacker could exfiltrate accumulated conversation history if the feedback endpoint exposes stored data, or simply disconnect the service to cause customer-facing availability impact for a competitor.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

Timeline

Published
September 27, 2024
Last Modified
October 7, 2024
First Seen
September 27, 2024

Scanner Template Available

A Nuclei vulnerability scanner template exists for this CVE. You can scan your infrastructure for this vulnerability immediately.

View template on GitHub
nuclei -t http/cves/2024/CVE-2024-7714.yaml -u https://target.example.com

Related Vulnerabilities

CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Data Leakage
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Data Leakage
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Auth Bypass
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Auth Bypass
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same attack type: Auth Bypass
Back to Threat Feed