Researchers recently identified CVE-2024-0453 as a vulnerability in the AI ChatBot plugin for WordPress, affecting versions up to and including 5.3.4. Consequently, the flaw stems from a missing capability check in the openai_file_delete_callback function, that allows authenticated users with subscriber-level access or higher to delete files from a linked OpenAI account. This vulnerability has been classified as medium severity with a CVSS v3 score of 5.0.
Detailed Description
The AI ChatBot plugin, widely used in WordPress installations to integrate OpenAI’s chatbot capabilities, failed to implement proper access control in its file deletion functionality. Specifically, the openai_file_delete_callback function did not verify whether the user had the appropriate permissions to delete files. This oversight allows authenticated users, including those with minimal privileges such as subscribers, to execute file deletion operations on the OpenAI account linked with the plugin.
Technical Impact
The primary risk associated with CVE-2024-0453 is the unauthorized modification of data. An attacker with subscriber-level access can delete important files, leading to potential data loss and disruption of services that rely on the integrity of the OpenAI account. Although the vulnerability does not expose the system to complete takeover or data theft, the ability to delete files can significantly impact operations and data integrity.
Severity and CVSS Score
The CVSS v3 base score rates the vulnerability at 5.0, indicating medium severity.
The CVSS vector for this vulnerability is:
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Changed (C)
- Confidentiality (C): None (N)
- Integrity (I): Low (L)
- Availability (A): None (N)
Affected Versions and Remediation
All versions of the AI ChatBot plugin up to and including 5.3.4 are affected by this vulnerability. The issue was addressed in version 5.3.6, which includes the necessary capability checks to prevent unauthorized file deletion. So, users of the AI ChatBot plugin are strongly advised to update to version 5.3.6 to mitigate the risk associated with this vulnerability.
Recommendations
- Update the Plugin: Immediately update the AI ChatBot plugin to version 5.3.6 or later. The updated version includes fixes that address the missing capability check. This ensures that only users with appropriate permissions can delete files.
- Review User Roles: Assess the roles and permissions assigned to users on your WordPress site. This is to ensure that only trusted users have subscriber-level access or higher.
- Monitor Logs: Finally, regularly monitor server logs for any unusual activity related to file deletions. Especially if you suspect your site may have been compromised before the update.