CVE-2024-0451 – The AI ChatBot WordPress plugin has an authoriz... (How to Fix)

Q: What is the severity of CVE-2024-0451?

CVE-2024-0451 has a CVSS score of 5.0 (MEDIUM). The AI ChatBot WordPress plugin has an authorization vulnerability that allows authenticated users with subscriber-level access or higher to list files from a linked OpenAI account. This occurs because the openai_file_list_callback function lacks proper capability checks. WordPress sites using vulnerable plugin versions are affected.

📋 TL;DR

The AI ChatBot WordPress plugin has an authorization vulnerability that allows authenticated users with subscriber-level access or higher to list files from a linked OpenAI account. This occurs because the openai_file_list_callback function lacks proper capability checks. WordPress sites using vulnerable plugin versions are affected.

💻 Affected Systems

Products:

AI ChatBot WordPress Plugin

Versions: All versions up to and including 5.3.4

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin and user accounts with at least subscriber-level access.

📦 What is this software?

Wpbot by Quantumcloud

View all CVEs affecting Wpbot →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could enumerate sensitive files in OpenAI accounts, potentially exposing confidential data, API keys, or proprietary information stored in those accounts.

🟠

Likely Case

Low-privileged users could discover file names and metadata from OpenAI accounts, potentially enabling further attacks or information gathering.

🟢

If Mitigated

With proper access controls, only authorized administrators could access OpenAI file listings, preventing information disclosure.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to WordPress with subscriber privileges or higher.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.3.5 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3089461/chatbot/trunk/includes/openai/qcld-bot-openai.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'AI ChatBot' and click 'Update Now'. 4. Alternatively, download version 5.3.5+ from WordPress plugin repository and replace the plugin files.

🔧 Temporary Workarounds

Temporary Access Restriction

all

Restrict subscriber-level user creation and review existing low-privilege accounts

Plugin Deactivation

linux

Temporarily disable the AI ChatBot plugin until patched

wp plugin deactivate chatbot

🧯 If You Can't Patch

Remove subscriber-level user accounts or restrict their creation
Monitor WordPress user activity logs for suspicious file listing attempts

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin panel under Plugins → Installed Plugins. If AI ChatBot version is 5.3.4 or lower, it's vulnerable.

Check Version:

wp plugin get chatbot --field=version

Verify Fix Applied:

Verify plugin version is 5.3.5 or higher after update. Check that the openai_file_list_callback function includes proper capability checks.

📡 Detection & Monitoring

Log Indicators:

Unusual API calls to OpenAI file listing endpoints from non-admin users
Multiple file listing requests from subscriber-level accounts

Network Indicators:

HTTP POST requests to /wp-admin/admin-ajax.php with action=openai_file_list from non-admin IPs

SIEM Query:

source="wordpress.log" AND "openai_file_list" AND user_role!="administrator"

📊 Metadata

CVE ID: CVE-2024-0451

CVSS v3 Score: 5.0 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

CWE: CWE-862

Published: May 22, 2024

Last Updated: May 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-0451, you might also want to check these: