CVE-2026-1336
Unauthorized Access in AYS AI ChatBot Plugin via Missing Capability Checks
Publication date: 2026-03-03
Last updated on: 2026-03-03
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ays | chatgpt_assistant | to 2.7.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress has a vulnerability due to missing capability checks on the store_data() and get_chatgpt_api_key() functions in all versions up to and including 2.7.5.
This flaw allows unauthenticated attackers to access, modify, or delete the plugin's ChatGPT API key without proper authorization.
The vulnerability was partially fixed in version 2.7.5 and fully fixed in version 2.7.6.
How can this vulnerability impact me? :
Because the vulnerability allows unauthenticated attackers to view, modify, or delete the plugin's ChatGPT API key, it can lead to unauthorized access to the API key.
This could result in attackers abusing the API key, potentially causing service disruption, unauthorized usage, or manipulation of the chatbot's behavior.
Additionally, unauthorized modification or deletion of the API key could disable the plugin's functionality or cause unexpected behavior.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized access and modification of the ChatGPT API key in the AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress due to missing capability checks in certain functions.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you can check the installed version of the plugin to see if it is version 2.7.5 or earlier, as these versions are vulnerable.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect the vulnerable plugin version on a WordPress installation include:'}, {'type': 'list_item', 'content': 'Using WP-CLI to check the plugin version: wp plugin list --status=active | grep ays-chatgpt-assistant'}, {'type': 'list_item', 'content': "Manually inspecting the plugin version in the plugin's main PHP file, typically located at wp-content/plugins/ays-chatgpt-assistant/ays-chatgpt-assistant.php, by looking for the Version header."}, {'type': 'paragraph', 'content': "Additionally, monitoring HTTP requests to the plugin's endpoints for unauthorized access attempts to the store_data() or get_chatgpt_api_key() functions could help detect exploitation attempts, but specific commands or signatures are not provided in the available resources."}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the AI ChatBot with ChatGPT and Content Generator by AYS plugin to version 2.7.6 or later, where the vulnerability is fully fixed.
If updating immediately is not possible, consider restricting access to the plugin's administrative functions and endpoints to trusted users only, as the vulnerability allows unauthenticated attackers to view or modify the ChatGPT API key.
Review and monitor your WordPress installation for any unauthorized changes to the plugin's settings or API keys.
Implement network-level protections such as web application firewalls (WAF) to block suspicious requests targeting the plugin's vulnerable functions.