Search criteria
4 vulnerabilities found for AI ChatBot with ChatGPT and Content Generator by AYS by ays-pro
CVE-2025-13381 (GCVE-0-2025-13381)
Vulnerability from cvelistv5 – Published: 2025-11-27 09:27 – Updated: 2025-12-03 21:09
VLAI?
Title
AI ChatBot with ChatGPT and Content Generator by AYS <= 2.7.0 - Missing Authorization to Unauthenticated Media File Uploads
Summary
The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'ays_chatgpt_save_wp_media' function in all versions up to, and including, 2.7.0. This makes it possible for unauthenticated attackers to upload media files.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ays-pro | AI ChatBot with ChatGPT and Content Generator by AYS |
Affected:
* , ≤ 2.7.0
(semver)
|
Credits
Chokri Hammedi
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13381",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T21:08:57.938848Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T21:09:06.610Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "AI ChatBot with ChatGPT and Content Generator by AYS",
"vendor": "ays-pro",
"versions": [
{
"lessThanOrEqual": "2.7.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Chokri Hammedi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the \u0027ays_chatgpt_save_wp_media\u0027 function in all versions up to, and including, 2.7.0. This makes it possible for unauthenticated attackers to upload media files."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-27T09:27:49.560Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/be3411ec-0e34-4b0b-a04c-98ac94396989?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/tags/2.6.9/admin/class-chatgpt-assistant-admin.php#L3585"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/tags/2.6.9/includes/class-chatgpt-assistant.php#L222"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/tags/2.6.9/admin/class-chatgpt-assistant-admin.php#L3268"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/tags/2.6.9/admin/class-chatgpt-assistant-admin.php#L3597"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3402237/ays-chatgpt-assistant/tags/2.7.1/admin/class-chatgpt-assistant-admin.php?old=3382650\u0026old_path=ays-chatgpt-assistant%2Ftags%2F2.6.9%2Fadmin%2Fclass-chatgpt-assistant-admin.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-18T20:38:46.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-26T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "AI ChatBot with ChatGPT and Content Generator by AYS \u003c= 2.7.0 - Missing Authorization to Unauthenticated Media File Uploads"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13381",
"datePublished": "2025-11-27T09:27:49.560Z",
"dateReserved": "2025-11-18T20:23:35.769Z",
"dateUpdated": "2025-12-03T21:09:06.610Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13378 (GCVE-0-2025-13378)
Vulnerability from cvelistv5 – Published: 2025-11-27 09:27 – Updated: 2025-12-03 17:08
VLAI?
Title
AI ChatBot with ChatGPT and Content Generator by AYS <= 2.7.0 - Unauthenticated Server-Side Request Forgery via 'pinecone_url' Parameter
Summary
The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.7.0 via the ays_chatgpt_pinecone_upsert function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Severity ?
6.5 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ays-pro | AI ChatBot with ChatGPT and Content Generator by AYS |
Affected:
* , ≤ 2.7.0
(semver)
|
Credits
Chokri Hammedi
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13378",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T17:08:46.351229Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T17:08:53.770Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "AI ChatBot with ChatGPT and Content Generator by AYS",
"vendor": "ays-pro",
"versions": [
{
"lessThanOrEqual": "2.7.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Chokri Hammedi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.7.0 via the ays_chatgpt_pinecone_upsert function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-27T09:27:48.378Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/293ad145-dc93-4d7a-83ba-78f8c730ed6d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/tags/2.6.9/admin/class-chatgpt-assistant-admin.php#L3483"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/trunk/admin/class-chatgpt-assistant-admin.php#L3483"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/trunk/includes/class-chatgpt-assistant.php#L222"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3402237/ays-chatgpt-assistant/tags/2.7.1/admin/class-chatgpt-assistant-admin.php?old=3382650\u0026old_path=ays-chatgpt-assistant%2Ftags%2F2.6.9%2Fadmin%2Fclass-chatgpt-assistant-admin.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-18T20:13:55.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-26T21:00:16.000+00:00",
"value": "Disclosed"
}
],
"title": "AI ChatBot with ChatGPT and Content Generator by AYS \u003c= 2.7.0 - Unauthenticated Server-Side Request Forgery via \u0027pinecone_url\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13378",
"datePublished": "2025-11-27T09:27:48.378Z",
"dateReserved": "2025-11-18T19:56:37.440Z",
"dateUpdated": "2025-12-03T17:08:53.770Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13381 (GCVE-0-2025-13381)
Vulnerability from nvd – Published: 2025-11-27 09:27 – Updated: 2025-12-03 21:09
VLAI?
Title
AI ChatBot with ChatGPT and Content Generator by AYS <= 2.7.0 - Missing Authorization to Unauthenticated Media File Uploads
Summary
The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'ays_chatgpt_save_wp_media' function in all versions up to, and including, 2.7.0. This makes it possible for unauthenticated attackers to upload media files.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ays-pro | AI ChatBot with ChatGPT and Content Generator by AYS |
Affected:
* , ≤ 2.7.0
(semver)
|
Credits
Chokri Hammedi
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13381",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T21:08:57.938848Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T21:09:06.610Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "AI ChatBot with ChatGPT and Content Generator by AYS",
"vendor": "ays-pro",
"versions": [
{
"lessThanOrEqual": "2.7.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Chokri Hammedi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the \u0027ays_chatgpt_save_wp_media\u0027 function in all versions up to, and including, 2.7.0. This makes it possible for unauthenticated attackers to upload media files."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-27T09:27:49.560Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/be3411ec-0e34-4b0b-a04c-98ac94396989?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/tags/2.6.9/admin/class-chatgpt-assistant-admin.php#L3585"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/tags/2.6.9/includes/class-chatgpt-assistant.php#L222"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/tags/2.6.9/admin/class-chatgpt-assistant-admin.php#L3268"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/tags/2.6.9/admin/class-chatgpt-assistant-admin.php#L3597"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3402237/ays-chatgpt-assistant/tags/2.7.1/admin/class-chatgpt-assistant-admin.php?old=3382650\u0026old_path=ays-chatgpt-assistant%2Ftags%2F2.6.9%2Fadmin%2Fclass-chatgpt-assistant-admin.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-18T20:38:46.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-26T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "AI ChatBot with ChatGPT and Content Generator by AYS \u003c= 2.7.0 - Missing Authorization to Unauthenticated Media File Uploads"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13381",
"datePublished": "2025-11-27T09:27:49.560Z",
"dateReserved": "2025-11-18T20:23:35.769Z",
"dateUpdated": "2025-12-03T21:09:06.610Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13378 (GCVE-0-2025-13378)
Vulnerability from nvd – Published: 2025-11-27 09:27 – Updated: 2025-12-03 17:08
VLAI?
Title
AI ChatBot with ChatGPT and Content Generator by AYS <= 2.7.0 - Unauthenticated Server-Side Request Forgery via 'pinecone_url' Parameter
Summary
The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.7.0 via the ays_chatgpt_pinecone_upsert function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Severity ?
6.5 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ays-pro | AI ChatBot with ChatGPT and Content Generator by AYS |
Affected:
* , ≤ 2.7.0
(semver)
|
Credits
Chokri Hammedi
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13378",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T17:08:46.351229Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T17:08:53.770Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "AI ChatBot with ChatGPT and Content Generator by AYS",
"vendor": "ays-pro",
"versions": [
{
"lessThanOrEqual": "2.7.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Chokri Hammedi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.7.0 via the ays_chatgpt_pinecone_upsert function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-27T09:27:48.378Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/293ad145-dc93-4d7a-83ba-78f8c730ed6d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/tags/2.6.9/admin/class-chatgpt-assistant-admin.php#L3483"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/trunk/admin/class-chatgpt-assistant-admin.php#L3483"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/trunk/includes/class-chatgpt-assistant.php#L222"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3402237/ays-chatgpt-assistant/tags/2.7.1/admin/class-chatgpt-assistant-admin.php?old=3382650\u0026old_path=ays-chatgpt-assistant%2Ftags%2F2.6.9%2Fadmin%2Fclass-chatgpt-assistant-admin.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-18T20:13:55.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-26T21:00:16.000+00:00",
"value": "Disclosed"
}
],
"title": "AI ChatBot with ChatGPT and Content Generator by AYS \u003c= 2.7.0 - Unauthenticated Server-Side Request Forgery via \u0027pinecone_url\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13378",
"datePublished": "2025-11-27T09:27:48.378Z",
"dateReserved": "2025-11-18T19:56:37.440Z",
"dateUpdated": "2025-12-03T17:08:53.770Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}