CVE-2026-25338 MEDIUM

CVE-2026-25338: WordPress AI ChatBot with ChatGPT and Content Generator by AYS plugin <= 2.7.4 - Broken Access Control vulnerability

Vendor Ays Pro
Product AI ChatBot with ChatGPT and Content Generator by AYS
Weakness CWE-862 · Missing authorization
Published February 19, 2026
Last update April 28, 2026
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Missing Authorization vulnerability in Ays Pro AI ChatBot with ChatGPT and Content Generator by AYS ays-chatgpt-assistant allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI ChatBot with ChatGPT and Content Generator by AYS: from n/a through <= 2.7.4.

Explanation of Vulnerability in Simple Terms

02Summary

The AI ChatBot with ChatGPT and Content Generator plugin for WordPress versions 2.7.4 and earlier lacks proper authorization checks. An attacker can modify data without authentication, such as altering chatbot settings or content. No user interaction is required. Site administrators should update to a version newer than 2.7.4 as soon as available.

What an attacker can do

03Attacker Capabilities

Modify chatbot settings and content without logging in.

Potential impact on your site

04Site Impact

Attackers can alter your chatbot responses, settings, or generated content without permission.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication required.

Key dates

06Disclosure timeline

February 19, 2026 CVE published
April 28, 2026 Record updated

Related vulnerabilities

08Related CVE

CVE-2026-7563 Classified Listing <= 5.3.10 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via add_order_note and send_email_to_user_by_moderator AJAX Actions CVE-2026-24545 WordPress QR Redirector plugin <= 2.0.3 - Broken Access Control vulnerability CVE-2024-29229 CVE-2024-33910 WordPress Digital Publications by Supsystic plugin <= 1.7.7 - Broken Access Control vulnerability CVE-2020-36716 WP Activity Log <= 4.0.1 - Missing Authorization