CVE-2025-0744

Name of the Vulnerable Software and Affected Versions EmbedAI versions 2.1 and below

Description An Improper Access Control issue has been found, allowing an authenticated attacker to change their subscription plan without paying. This is achieved by making a POST request to the "/demos/embedai/pmt cash on delivery/pay" endpoint and altering its parameters.

Recommendations For EmbedAI versions 2.1 and below, as a temporary workaround, consider restricting access to the "/demos/embedai/pmt cash on delivery/pay" endpoint to prevent unauthorized changes to subscription plans. At the moment, there is no information about a newer version that contains a fix for this vulnerability.