CVE-2025-12043 - Vulnerability Details

- Autochat Automatic Conversation <= 1.1.9 - Missing Authorization to Unauthenticated Settings Update

Description

The Autochat Automatic Conversation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_nopriv_auycht_saveCid' AJAX endpoint in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to connect and disconnect the client ID.

Published: 2025-11-25

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Autochat Automatic Conversation plugin for WordPress is vulnerable because the wp_ajax_nopriv_auycht_saveCid endpoint lacks a capability check. This missing authorization allows any unauthenticated user to send requests that modify the plugin’s client ID, effectively enabling the attacker to connect or disconnect the client from the conversation system. The flaw does not provide direct remote code execution, but it compromises the integrity of the plugin’s configuration and can alter user experience or data flow.

Affected Systems

WordPress sites that have the Autochat Automatic Conversation plugin installed, versions 1.1.9 and earlier, regardless of site role or user authentication state.

Risk and Exploitability

The CVSS structure of 5.3 indicates moderate impact when exploited. However, the EPSS score of less than 1% reflects a very low likelihood of active exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Attackers would simply craft unauthenticated HTTP POST requests to the vulnerable AJAX endpoint, requiring no credentials and minimal effort. Given the lack of an authentication requirement, the vulnerability is readily exploitable as long as the plugin remains installed in a WordPress environment.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

autochat

Autochat Automatic Conversation

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.1.9

No data.

Vendor	Product	Confidence	Versions
Autochat	Automatic Conversation	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Autochat Automatic Conversation plugin to the latest version that addresses the missing capability check.
If an immediate update is not possible, block or restrict the wp_ajax_nopriv_auycht_saveCid endpoint so that only authenticated users can invoke it, for example by using a security plugin or custom code to drop unauthenticated requests to that URL.
If the plugin is not critical to the site’s functionality, consider disabling or uninstalling it to eliminate the vulnerability.

Generated by OpenCVE AI on April 22, 2026 at 21:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00119.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://wordpress.org/plugins/auyautochat-for-wp/
https://www.wordfence.com/threat-intel/vulnerabilities/id/089b3a1b-0f4b-4ba5-85d8-c1f6b74fe7eb?source=cve

History

Wed, 26 Nov 2025 11:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Autochat Autochat automatic Conversation Wordpress Wordpress wordpress
Vendors & Products		Autochat Autochat automatic Conversation Wordpress Wordpress wordpress

Tue, 25 Nov 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 25 Nov 2025 07:45:00 +0000

Type	Values Removed	Values Added
Description		The Autochat Automatic Conversation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_nopriv_auycht_saveCid' AJAX endpoint in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to connect and disconnect the client ID.
Title		Autochat Automatic Conversation <= 1.1.9 - Missing Authorization to Unauthenticated Settings Update
Weaknesses		CWE-862
References		https://wordpress.org/plugins/auyautochat-for-wp/ https://www.wordfence.com/threat-intel/vulnerabilities/id/089b3a1b-0f4b-4ba5-85d8-c1f6b74fe7eb?source=cve
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Autochat Automatic Conversation

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-11-25T07:28:18.304Z

Updated: 2026-04-08T16:34:17.716Z

Reserved: 2025-10-21T19:03:42.165Z

Link: CVE-2025-12043

Vulnrichment

Updated: 2025-11-25T14:46:32.983Z

NVD

Status : Deferred

Published: 2025-11-25T08:15:48.157

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12043

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T21:15:27Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object