AI Threat Alert
Plugin
Plugins and tools are the bridge between an LLM and the world outside it: a web-fetch tool, a code interpreter, a shell, an email API, a calendar integration. Each tool the agent can invoke is a new piece of attack surface, and the agent's prompt-injection problem becomes the tool's authorization problem. Common patterns we see in CVEs and AIID reports include over-broad tool permissions (an email-sending tool with no recipient allowlist), SSRF in browse-the-web tools, RCE in code-interpreter sandboxes that escape too easily, and confused-deputy attacks where the agent invokes a tool on behalf of an attacker-controlled prompt instead of the legitimate user. OpenAI's plugin ecosystem and ChatGPT's tool framework have shipped published vulnerabilities; LangChain, LangGraph, CrewAI, and AutoGen have each had agent-tool CVEs. Defenses: least-privilege tool scopes, human-in-the-loop on irreversible actions, separate trust contexts, and auditable tool invocation logs.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2025-6716 | Contest Gallery WP Plugin: Stored XSS in OpenAI integration | 6.4 | |
| MEDIUM | CVE-2025-7780 | WordPress AI Engine: SSRF leaks files via OpenAI API | 6.5 | |
| MEDIUM | CVE-2025-54558 | OpenAI Codex CLI: sandbox bypass via ripgrep flag abuse | 4.1 | |
| HIGH | CVE-2025-7725 | WP Contest Gallery: Stored XSS exposes OpenAI API creds | 7.2 | |
| MEDIUM | CVE-2025-60511 | Moodle: IDOR enables unauthorized data access | 4.3 | |
| MEDIUM | CVE-2025-12360 | Better: security flaw enables exploitation | 4.3 | |
| MEDIUM | CVE-2025-11972 | AI component: SQL Injection exposes database | 4.9 | |
| MEDIUM | CVE-2025-12732 | AI component: Info Disclosure leaks sensitive data | 4.3 | |
| HIGH | CVE-2025-12973 | AI component: Arbitrary File Upload enables RCE | 7.2 | |
| MEDIUM | CVE-2025-13354 | taxopress: Missing Auth allows unauthorized operations | 4.3 | |
| MEDIUM | CVE-2025-13359 | taxopress: SQL Injection exposes database | 6.5 | |
| MEDIUM | CVE-2025-13922 | AI component: SQL Injection exposes database | 6.5 | |
| MEDIUM | CVE-2025-14371 | AI component: Missing Auth allows unauthorized operations | 4.3 | |
| MEDIUM | CVE-2025-14980 | BetterDocs: Info Disclosure leaks sensitive data | 6.5 | |
| UNKNOWN | CVE-2024-10950 | gpt_academic: RCE via unsandboxed prompt injection | gpt_academic | - |
| HIGH | CVE-2025-66404 | mcp-server-kubernetes: Command Injection enables RCE | 8.8 | |
| LOW | CVE-2026-24764 | OpenClaw: indirect prompt injection via Slack metadata | openclaw | 3.7 |
| HIGH | CVE-2026-26321 | OpenClaw: path traversal enables local file exfiltration | openclaw | 7.5 |
| CRITICAL | CVE-2026-2654 | smolagents: SSRF allows internal network access | smolagents | 9.8 |
| MEDIUM | CVE-2021-28796 | Qiita::Markdown: XSS in transformer components | 6.1 |