Kieran Burge

**Name of the Vulnerable Software and Affected Versions** The AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin versions prior to 2.1.0 **Description** The issue allows unauthenticated users to obtain the Open AI API Key. This is due to the disclosure of the Open AI API Key in the plugin. **Recommendations** For versions prior to 2.1.0, update to version 2.1.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's configuration to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin versions prior to 2.1.0 **Description** The issue is related to insufficient access controls in the AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin, allowing an unauthenticated user to disconnect the plugin from OpenAI. This can be achieved through multiple accessible actions: `ays chatgpt disconnect`, `ays chatgpt connect`, and `ays chatgpt save feedback`. **Recommendations** For versions prior to 2.1.0, upgrade to version 2.1.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the `ays chatgpt disconnect`, `ays chatgpt connect`, and `ays chatgpt save feedback` actions to prevent unauthorized disconnection from OpenAI.

**Name of the Vulnerable Software and Affected Versions** The Chatbot with ChatGPT WordPress plugin versions prior to 2.4.6 **Description** The issue is related to a lack of proper authorization in one of the plugin's REST endpoints, allowing unauthenticated users to retrieve an encoded key, which can then be decoded, resulting in the leak of the OpenAI API key. **Recommendations** For versions prior to 2.4.6, update to version 2.4.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable REST endpoint until a patch is applied. Avoid using the affected plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** The Chatbot Support AI: Free ChatGPT Chatbot, Woocommerce Chatbot WordPress plugin versions 1.0.2 and earlier **Description** The issue is related to the lack of sanitization and escaping of some settings in the plugin, which could allow high-privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This is possible even when the unfiltered html capability is disallowed, for example, in a multisite setup. **Recommendations** For versions 1.0.2 and earlier, update to a version that addresses this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Generate Images WordPress plugin versions prior to 5.2.8 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example, in a multisite setup. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions prior to 5.2.8, update to version 5.2.8 or later to resolve the issue. As a temporary workaround, consider restricting the use of the plugin's settings to minimize the risk of exploitation.