AI Threat Alert AI Threat Alert

CVE-2024-7714: AYS ChatGPT WP Plugin: auth bypass disables AI service

HIGH PoC AVAILABLE NUCLEI TEMPLATE CISA: TRACK*
Published September 27, 2024
CISO Take

Any unauthenticated user can disconnect your WordPress AI chatbot from OpenAI or reconnect it with arbitrary credentials, effectively hijacking or killing the service. If you run this plugin on any customer-facing WordPress site, patch to 2.1.0 immediately — no authentication required to exploit means automated scanners will find and abuse this within hours of deployment. The 'connect' action is the more dangerous of the three: an attacker may substitute their own OpenAI API key, redirecting all conversations and potentially exfiltrating user queries.

Risk Assessment

High exploitability: network-accessible, no authentication, no user interaction, low complexity — trivially scriptable. The CVSS integrity score is High because the 'connect' action can redirect the AI service to attacker-controlled credentials. Real-world exposure is scoped to WordPress sites using this specific plugin, limiting blast radius, but the simplicity of exploitation compensates. Not in CISA KEV and no public exploit PoC confirmed, but the attack surface is fully exposed via standard WordPress AJAX endpoints.

Affected Systems

Package Ecosystem Vulnerable Range Patched
chatgpt_assistant No patch

Do you use chatgpt_assistant? You're affected.

Severity & Risk

CVSS 3.1
7.5 / 10
EPSS
23.9%
chance of exploitation in 30 days
Higher than 96% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Nuclei detection template available
EPSS exploit prediction: 24%
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I High
A None

Recommended Action

5 steps

  1. Patch immediately: update to AYS AI ChatBot plugin version 2.1.0 or later.

  2. Verify your OpenAI API key was not replaced: check plugin settings and rotate your OpenAI API key regardless — treat it as potentially compromised if this plugin was exposed pre-patch.

  3. Review WordPress access logs for POST requests to wp-admin/admin-ajax.php with action=ays_chatgpt_disconnect, ays_chatgpt_connect, or ays_chatgpt_save_feedback from unauthenticated sessions.

  4. If patching is not immediately possible, block unauthenticated AJAX requests to these action handlers via WAF rules.

  5. Enable WordPress plugin auto-updates for security releases.

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Data Leakage DoS Plugin API AML.T0029 AML.T0040 AML.T0049 AML.T0096

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 9 - Risk management system
ISO 42001
8.4 - AI system security
NIST AI RMF
GOVERN-6.1 - Policies and procedures for AI risk management MANAGE-2.2 - Mechanisms to sustain AI system trustworthiness
OWASP LLM Top 10
LLM07:2025 - System Prompt Leakage / Insecure Plugin Design

Related AI Incidents (1)

Chevrolet Dealer Chatbot Agrees to Sell Tahoe for $1
Dec 2023 General Motors, Chevrolet of Watsonville, ChatGPT medium confidence

Company "ChatGPT" in CVE description; Shared keyword: "chatbot"

AIID #622

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is CVE-2024-7714?

Any unauthenticated user can disconnect your WordPress AI chatbot from OpenAI or reconnect it with arbitrary credentials, effectively hijacking or killing the service. If you run this plugin on any customer-facing WordPress site, patch to 2.1.0 immediately — no authentication required to exploit means automated scanners will find and abuse this within hours of deployment. The 'connect' action is the more dangerous of the three: an attacker may substitute their own OpenAI API key, redirecting all conversations and potentially exfiltrating user queries.

Is CVE-2024-7714 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-7714, increasing the risk of exploitation.

How to fix CVE-2024-7714?

1. Patch immediately: update to AYS AI ChatBot plugin version 2.1.0 or later. 2. Verify your OpenAI API key was not replaced: check plugin settings and rotate your OpenAI API key regardless — treat it as potentially compromised if this plugin was exposed pre-patch. 3. Review WordPress access logs for POST requests to wp-admin/admin-ajax.php with action=ays_chatgpt_disconnect, ays_chatgpt_connect, or ays_chatgpt_save_feedback from unauthenticated sessions. 4. If patching is not immediately possible, block unauthenticated AJAX requests to these action handlers via WAF rules. 5. Enable WordPress plugin auto-updates for security releases.

What systems are affected by CVE-2024-7714?

This vulnerability affects the following AI/ML architecture patterns: plugin, api, inference.

What is the CVSS score for CVE-2024-7714?

CVE-2024-7714 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 23.89%.

Technical Details

NVD Description

The AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0 lacks sufficient access controls allowing an unauthenticated user to disconnect the AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0 from OpenAI, thereby disabling the AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0. Multiple actions are accessible: 'ays_chatgpt_disconnect', 'ays_chatgpt_connect', and 'ays_chatgpt_save_feedback'

Exploitation Scenario

An adversary scanning for WordPress sites with exposed AJAX endpoints identifies a target running the vulnerable AYS ChatBot plugin via HTTP fingerprinting. With a single unauthenticated POST to wp-admin/admin-ajax.php with action=ays_chatgpt_connect and a payload containing the attacker's own OpenAI API key, the adversary hijacks the AI service. All subsequent user conversations are now routed through the attacker's API key — enabling full conversation interception without any presence on the server. Simultaneously, the attacker could exfiltrate accumulated conversation history if the feedback endpoint exposes stored data, or simply disconnect the service to cause customer-facing availability impact for a competitor.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

Timeline

Published
September 27, 2024
Last Modified
October 7, 2024
First Seen
September 27, 2024

Scanner Template Available

A Nuclei vulnerability scanner template exists for this CVE. You can scan your infrastructure for this vulnerability immediately.

View template on GitHub
nuclei -t http/cves/2024/CVE-2024-7714.yaml -u https://target.example.com

Related Vulnerabilities

CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Data Leakage
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Data Leakage
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Auth Bypass
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Auth Bypass
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same attack type: Auth Bypass
Back to Threat Feed