CVE-2026-25338
Missing Authorization in AYS Pro AI ChatBot Enables Unauthorized Access
Publication date: 2026-02-19
Last updated on: 2026-02-19
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ays | ays_chatgpt_assistant | to 2.7.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25338 is a Broken Access Control vulnerability in the WordPress AI ChatBot with ChatGPT and Content Generator by AYS Plugin, affecting versions up to and including 2.7.4.
The vulnerability arises from missing authorization, authentication, or nonce token checks in certain functions, which allows unauthenticated users to perform actions that should be restricted to higher-privileged users.
It is classified under OWASP Top 10 A1: Broken Access Control.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability allows unauthenticated users to perform privileged actions within the affected plugin, potentially leading to unauthorized access or manipulation of the AI ChatBot's functions."}, {'type': 'paragraph', 'content': "Although the CVSS score is 5.3, indicating a low severity impact, the risk exists that attackers could exploit the missing access controls to misuse the plugin's capabilities."}, {'type': 'paragraph', 'content': 'It is recommended to update to version 2.7.5 or later where the issue has been patched to mitigate this risk.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from missing authorization, authentication, or nonce token checks in certain functions of the AYS ChatGPT Assistant WordPress plugin, allowing unauthenticated users to perform privileged actions.
There is no specific information provided about detection commands or network/system scanning techniques for this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate mitigation step is to update the AYS ChatGPT Assistant WordPress plugin to version 2.7.5 or later, where the vulnerability has been patched.
Additionally, Patchstack users can enable auto-updates specifically for vulnerable plugins to reduce the risk of exploitation.
Since no additional privileges are required to exploit this vulnerability, timely patching is critical.