CVE-2023-6985

Name of the Vulnerable Software and Affected Versions 10Web AI Assistant versions up to, and including, 1.0.18

Description The issue allows authenticated attackers with subscriber-level access and above to install arbitrary plugins, potentially gaining further access to a compromised site. This is due to a missing capability check on the install plugin AJAX action.

Recommendations For versions up to, and including, 1.0.18, update to a version higher than 1.0.18 to resolve the issue. As a temporary workaround, consider restricting access to the install plugin AJAX action to prevent unauthorized plugin installations.