Description
Missing Authorization vulnerability in Bertha AI – Andrew Palmer BERTHA AI bertha-ai-free allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BERTHA AI: from n/a through <= 1.13.
Published: 2025-05-16
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw that allows attackers to exploit incorrectly configured access control levels in the Bertha AI plugin for WordPress. Based on the description, it is inferred that an unauthorized user can perform privileged actions such as viewing or modifying configuration data or content. The weakness aligns with CWE‑862, indicating improper enforcement of authorization.

Affected Systems

Any WordPress site that has the Bertha AI – Andrew Palmer plugin version 1.13 or earlier installed is affected. This includes all releases from the first version up to and including 1.13. The plugin is available as a WordPress plugin and can appear on any domain running WordPress.

Risk and Exploitability

The CVSS score of 4.3 classifies the flaw as moderate, and the EPSS score of less than 1% shows a very low probability of exploitation observed in the wild. The vulnerability is not listed in the CISA KEV catalog, further suggesting limited exploitation activity. Attackers would likely need to access the plugin’s publicly exposed endpoints or an authenticated WordPress admin session; the lack of proper authentication checks creates a risk of unauthorized use. Because the flaw emerges from misconfigured access levels rather than a fundamental defect in WordPress itself, the attack surface remains relatively narrow but still actionable for sites that use the plugin.

Generated by OpenCVE AI on April 30, 2026 at 20:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Bertha AI plugin to the latest version (1.14 or newer).
  • If upgrading is not possible, enforce role‑based restrictions so that only administrators can access plugin features by adjusting capabilities or using a dedicated role‑based access control plug‑in.
  • If the plugin is not essential, remove or disable it entirely.

Generated by OpenCVE AI on April 30, 2026 at 20:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15511 Missing Authorization vulnerability in berthaai BERTHA AI allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BERTHA AI: from n/a through 1.12.11.
History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Bertha AI &#8211; Andrew Palmer BERTHA AI bertha-ai-free allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BERTHA AI: from n/a through <= 1.13. Missing Authorization vulnerability in Bertha AI – Andrew Palmer BERTHA AI bertha-ai-free allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BERTHA AI: from n/a through <= 1.13.

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in berthaai BERTHA AI allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BERTHA AI: from n/a through 1.12.11. Missing Authorization vulnerability in Bertha AI &#8211; Andrew Palmer BERTHA AI bertha-ai-free allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BERTHA AI: from n/a through <= 1.13.
Title WordPress BERTHA AI <= 1.12.11 - Broken Access Control Vulnerability WordPress BERTHA AI plugin <= 1.13 - Broken Access Control Vulnerability
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 30 May 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Bertha
Bertha bertha Ai
CPEs cpe:2.3:a:bertha:bertha_ai:*:*:*:*:*:wordpress:*:*
Vendors & Products Bertha
Bertha bertha Ai

Fri, 16 May 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 May 2025 16:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in berthaai BERTHA AI allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BERTHA AI: from n/a through 1.12.11.
Title WordPress BERTHA AI <= 1.12.11 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Bertha Bertha Ai
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:16:51.661Z

Reserved: 2025-05-15T18:01:40.432Z

Link: CVE-2025-48138

cve-icon Vulnrichment

Updated: 2025-05-16T16:21:14.071Z

cve-icon NVD

Status : Modified

Published: 2025-05-16T16:15:45.793

Modified: 2026-04-28T19:32:37.803

Link: CVE-2025-48138

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T20:15:16Z

Weaknesses