cbcvebase.
CVE-2024-7714
published 2024-09-27

CVE-2024-7714: The AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0 lacks sufficient access controls allowing an unauthenticated user to…

PriorityP353high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EXPLOIT
EPSS
0.83%
52.8th percentile
The AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0 lacks sufficient access controls allowing an unauthenticated user to disconnect the AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0 from OpenAI, thereby disabling the AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0. Multiple actions are accessible: 'ays_chatgpt_disconnect', 'ays_chatgpt_connect', and 'ays_chatgpt_save_feedback'

Affected

1 ranges
VendorProductVersion rangeFixed in
ays-prochatgpt_assistant< 2.1.02.1.0

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php?ays_chatgpt_assistant_id=1&action=ays_chatgpt_admin_ajax&function=ays_chatgpt_disconnect
path/wp-content/plugins/ays-chatgpt-assistant
  • Detect unauthenticated GET requests to wp-admin/admin-ajax.php with action=ays_chatgpt_admin_ajax and function=ays_chatgpt_disconnect (no authentication cookies/nonce required). A response body of exactly 'true' with HTTP 200 and Content-Type text/html indicates successful exploitation.
  • Three unprotected AJAX actions are exploitable by unauthenticated users: ays_chatgpt_disconnect, ays_chatgpt_connect, and ays_chatgpt_save_feedback — monitor admin-ajax.php requests containing any of these action/function parameter values from unauthenticated sessions.
  • ·The vulnerability affects plugin versions up to and including 2.0.9; version 2.1.0 contains the fix. Ensure detections are scoped to installations running versions <= 2.0.9.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.