Description
The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on the store_data() and get_chatgpt_api_key() functions in all versions up to, and including, 2.7.5. This makes it possible for unauthenticated attackers to view, modify or delete the plugin's ChatGPT API key.
The vulnerability was partially fixed in version 2.7.5 and fully fixed in version 2.7.6
Published: 2026-03-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of the plugin’s ChatGPT API key by unauthenticated users
Action: Update Plugin
AI Analysis

Impact

The vulnerability arises from missing capability checks in the plugin’s store_data() and get_chatgpt_api_key() functions. Because these functions can be invoked without authentication, any party can view, modify, or delete the stored ChatGPT API key. This exposes the site owner’s secret credentials and gives the attacker the ability to hijack or deny the plugin’s ChatGPT functionality. The impact is data compromise and potential remote service abuse through the exposed API key.

Affected Systems

All installations of the AI ChatBot with ChatGPT and Content Generator by AYS for WordPress, specifically versions up to and including 2.7.5. Users running 2.7.5 are partially protected, but the issue remains until version 2.7.6 where the fix is complete.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score of less than 1% suggests a low likelihood of exploitation at present, and the vulnerability is not yet in the CISA KEV catalog. However, the flaw can be exploited via unauthenticated HTTP requests to the plugin’s API endpoints, a vector that is simple and requires no special credentials. Even though the potential impact is limited to API key disclosure, the compromised key can be used for services that may carry monetary costs or privacy risks.

Generated by OpenCVE AI on April 15, 2026 at 17:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to version 2.7.6 or later where the authorization checks are correctly implemented.
  • If an upgrade cannot be performed immediately, temporarily restrict access to the plugin’s REST/API endpoints by configuring WordPress to allow only administrators or by blocking the endpoints with server rules.
  • After the update, delete any existing API keys that may have been exposed and verify that only authorized users can modify them.

Generated by OpenCVE AI on April 15, 2026 at 17:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Mar 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Ays Pro
Ays Pro ai Chatbot With Chatgpt And Content Generator By Ays
Wordpress
Wordpress wordpress
Vendors & Products Ays Pro
Ays Pro ai Chatbot With Chatgpt And Content Generator By Ays
Wordpress
Wordpress wordpress

Tue, 03 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 23:30:00 +0000

Type Values Removed Values Added
Description The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on the store_data() and get_chatgpt_api_key() functions in all versions up to, and including, 2.7.5. This makes it possible for unauthenticated attackers to view, modify or delete the plugin's ChatGPT API key. The vulnerability was partially fixed in version 2.7.5 and fully fixed in version 2.7.6
Title AI ChatBot with ChatGPT and Content Generator by AYS <= 2.7.5 - Missing Authorization to Unauthenticated API Key Modification
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Ays Pro Ai Chatbot With Chatgpt And Content Generator By Ays
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:53:09.571Z

Reserved: 2026-01-22T12:43:02.635Z

Link: CVE-2026-1336

cve-icon Vulnrichment

Updated: 2026-03-03T01:52:58.400Z

cve-icon NVD

Status : Deferred

Published: 2026-03-03T00:15:54.923

Modified: 2026-04-22T21:26:58.303

Link: CVE-2026-1336

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:00:15Z

Weaknesses