Description
The Assistio plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and missing nonce verification on the assistio_plugin_delete_assistio_settings() function in versions up to, and including, 1.1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's options including the critical 'assistiobot_oauth_settings' option, which disrupts the plugin's integration with the Assistio bot service.
Published: 2026-06-24
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Assistio WordPress plugin contains a missing capability check and nonce verification on the assistio_plugin_delete_assistio_settings() action. As a result, authenticated users with Subscriber-level access or higher can trigger the deletion of all plugin options, including the critical 'assistiobot_oauth_settings', effectively disabling the plugin's integration with the Assistio bot service. This flaw leads to loss of data integrity and a disruption of service for sites that rely on the bot for support and automation.

Affected Systems

The vulnerability affects the Assist.io Assistio plugin for WordPress, impacting all installations of versions up to and including 1.1.2. Sites running any of these versions should verify the current plugin version and upgrade if available.

Risk and Exploitability

The CVSS score is 4.3, indicating a moderate level of severity. EPSS is not available, but the lack of authentication checks and nonce validation means the attack is straightforward for any authenticated user. The flaw is not listed in CISA's KEV catalog, so no active exploitation campaigns have been reported at this time. Nonetheless, any subscriber or higher privileged user can exploit the issue to permanently delete plugin configuration, which may require manual reconfiguration or reinstallation of the plugin.

Generated by OpenCVE AI on June 24, 2026 at 09:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Assistio to a version that includes the missing capability check and nonce verification
  • If a patch is not yet available, immediately disable the Assistio plugin to prevent accidental or malicious deletion of settings
  • Review WordPress user roles and confirm that only trusted personnel have Subscriber or higher privileges; consider revoking or limiting these roles if the plugin is not critical

Generated by OpenCVE AI on June 24, 2026 at 09:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Assistio plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and missing nonce verification on the assistio_plugin_delete_assistio_settings() function in versions up to, and including, 1.1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's options including the critical 'assistiobot_oauth_settings' option, which disrupts the plugin's integration with the Assistio bot service.
Title Assistio <= 1.1.2 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Deletion via assistio_plugin_delete_assistio_settings AJAX Action
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-24T12:15:30.464Z

Reserved: 2026-05-14T17:34:56.542Z

Link: CVE-2026-8614

cve-icon Vulnrichment

Updated: 2026-06-24T12:15:25.407Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T09:15:06Z

Weaknesses