Server-Side Request Forgery Vulnerability in AYS AI ChatBot Plugin for WordPress
CVE-2025-13378

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Ai Chatbot With Chatgpt And Content Generator By Ays
Vendor: CVE Published:; 27 November 2025

What is CVE-2025-13378?

The AYS AI ChatBot with ChatGPT and Content Generator plugin for WordPress exhibits a vulnerability allowing Server-Side Request Forgery. This flaw exists in all versions up to and including 2.7.0, through the ays_chatgpt_pinecone_upsert function. It enables unauthenticated attackers to send unauthorized web requests to arbitrary external locations, potentially querying and altering information from internal services. This can lead to significant security risks as attackers may exploit this vulnerability to gain access to sensitive internal data or perform unintended operations.

Affected Version(s)

AI ChatBot with ChatGPT and Content Generator by AYS * <= 2.7.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/ays-chatgpt-as...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 27, 2025
Vulnerability Reserved
Nov 18, 2025

Credit

Chokri Hammedi

JSON