AI Threat Alert
Plugin
Plugins and tools are the bridge between an LLM and the world outside it: a web-fetch tool, a code interpreter, a shell, an email API, a calendar integration. Each tool the agent can invoke is a new piece of attack surface, and the agent's prompt-injection problem becomes the tool's authorization problem. Common patterns we see in CVEs and AIID reports include over-broad tool permissions (an email-sending tool with no recipient allowlist), SSRF in browse-the-web tools, RCE in code-interpreter sandboxes that escape too easily, and confused-deputy attacks where the agent invokes a tool on behalf of an attacker-controlled prompt instead of the legitimate user. OpenAI's plugin ecosystem and ChatGPT's tool framework have shipped published vulnerabilities; LangChain, LangGraph, CrewAI, and AutoGen have each had agent-tool CVEs. Defenses: least-privilege tool scopes, human-in-the-loop on irreversible actions, separate trust contexts, and auditable tool invocation logs.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| UNKNOWN | CVE-2026-2492 | TensorFlow: security flaw enables exploitation | - | |
| MEDIUM | CVE-2026-2589 | Greenshift: Info Disclosure leaks sensitive data | 5.3 | |
| CRITICAL | CVE-2026-28451 | OpenClaw: SSRF via Feishu extension exposes internal services | openclaw | 9.3 |
| CRITICAL | CVE-2026-30821 | flowise: Arbitrary File Upload enables RCE | flowise | 9.8 |
| CRITICAL | CVE-2023-34540 | LangChain: RCE via JiraAPIWrapper crafted input | langchain | 9.8 |
| CRITICAL | CVE-2023-39659 | LangChain: RCE via unsanitized PythonAstREPL input | langchain | 9.8 |
| CRITICAL | CVE-2023-39631 | LangChain: RCE via numexpr evaluate injection | langchain | 9.8 |
| CRITICAL | CVE-2025-46059 | LangChain GmailToolkit: indirect prompt injection to RCE | 9.8 | |
| MEDIUM | CVE-2023-1651 | AI ChatBot WP: auth bypass exposes OpenAI config + XSS | wpbot | 5.4 |
| MEDIUM | CVE-2024-0451 | wpbot: missing auth exposes OpenAI account files | wpbot | 5.0 |
| HIGH | CVE-2024-0452 | WordPress AI ChatBot: auth bypass enables OpenAI file upload | wpbot | 7.7 |
| HIGH | CVE-2024-0453 | WordPress ChatBot: missing authz deletes OpenAI files | wpbot | 7.7 |
| MEDIUM | CVE-2024-4858 | WP Testimonial Carousel: OpenAI API key hijack, no auth | 5.3 | |
| MEDIUM | CVE-2024-6845 | ChatGPT WP Plugin: OpenAI API key leak via unauth REST | 5.3 | |
| HIGH | CVE-2024-7714 | AYS ChatGPT WP Plugin: auth bypass disables AI service | 7.5 | |
| CRITICAL | CVE-2024-52384 | Sage AI Plugin: unrestricted upload → web shell RCE | 9.9 | |
| MEDIUM | CVE-2024-11896 | WP Text Prompter: Stored XSS in OpenAI shortcode plugin | 6.4 | |
| MEDIUM | CVE-2024-13698 | Jobify WP: missing authz allows OpenAI key abuse, SSRF | 6.5 | |
| MEDIUM | CVE-2025-31843 | OpenAI WP Plugin: broken access control on AI settings | 4.3 | |
| HIGH | CVE-2025-5018 | Hive Support WP: OpenAI key theft + prompt hijack | 7.1 |
Page 1 of 13