Unauthorized Data Modification in 10Web AI Assistant for WordPress
CVE-2023-6985

8.8HIGH

Key Information:

Vendor: Wordpress
Status: 10Web AI Assistant – AI content writing assistant
Vendor: CVE Published:; 5 February 2024

Summary

The 10Web AI Assistant, an AI content writing plugin for WordPress, contains a security flaw that allows unauthorized data modification due to a missing capability check on the install_plugin AJAX action. This vulnerability impacts all versions up to and including 1.0.18. Authenticated attackers with subscriber-level access or above can exploit this weakness to install arbitrary plugins, potentially compromising the integrity and security of affected WordPress sites. It is crucial for users to assess their installations and apply necessary updates to mitigate risk.

Affected Version(s)

10Web AI Assistant – AI content writing assistant * <= 1.0.18

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3027004/ai-a...

EPSS Score

6% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 5, 2024
Vulnerability Reserved
Dec 20, 2023

Credit

Krzysztof Zając