CVE-2024-6845
published 2024-09-25CVE-2024-6845: The Chatbot with ChatGPT WordPress plugin before 2.4.6 does not have proper authorization in one of its REST endpoint, allowing unauthenticated users to…
PriorityP339medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
1.08%
61.0th percentile
The Chatbot with ChatGPT WordPress plugin before 2.4.6 does not have proper authorization in one of its REST endpoint, allowing unauthenticated users to retrieve the encoded key and then decode it, thereby leaking the OpenAI API key
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| webdigit | chatbot_with_chatgpt | < 2.4.6 | 2.4.6 |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
SmartSearchWP < 2.4.6 - OpenAI Key Disclosure
nuclei·CVSS 5.3
CVE-2024-6845 [MEDIUM] SmartSearchWP < 2.4.6 - OpenAI Key Disclosure
SmartSearchWP < 2.4.6 - OpenAI Key Disclosure
The plugin does not have proper authorization in one of its REST endpoint, allowing unauthenticated users to retrieve the encoded key and then decode it, thereby leaking the OpenAI API key.
Template:
id: CVE-2024-6845
info:
name: SmartSearchWP < 2.4.6 - OpenAI Key Disclosure
author: s4e-io
severity: medium
description: |
The plugin does not have proper authorization in one of its REST endpoint, allowing unauthenticated users to retrieve the encoded key and then decode it, thereby leaking the OpenAI API key.
impact: |
Unauthenticated attackers can retrieve and decode the OpenAI API key through an unsecured REST endpoint, potentially incurring API usage costs and data exposure.
remediation: |
Update SmartSearchWP plugin to version 2.4.6 or la
No writeups or analysis indexed.
2024-09-25
Published