CVE-2026-1336 is a missing authorization vulnerability classified under CWE-862 found in the AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin. The vulnerability exists because the plugin's functions store_data() and get_chatgpt_api_key() lack proper capability checks, allowing unauthenticated users to access and manipulate sensitive data, specifically the ChatGPT API key used by the plugin. This key is critical as it enables communication with OpenAI's ChatGPT services, and unauthorized access could lead to abuse of the API, potential data leakage, or disruption of chatbot functionality. The vulnerability affects all plugin versions up to and including 2.7.5. The vendor partially addressed the issue in version 2.7.5 and fully resolved it in 2.7.6. The CVSS v3.1 base score is 5.3, indicating a medium severity, with an attack vector of network, no privileges required, and no user interaction needed. Although no known exploits have been reported in the wild, the vulnerability poses a risk to WordPress sites using this plugin, especially those relying on ChatGPT API integration for content generation or chatbot services.

The vulnerability allows unauthenticated attackers to view, modify, or delete the ChatGPT API key stored by the plugin. This can lead to unauthorized use or abuse of the API key, potentially incurring financial costs or service disruptions. Attackers could manipulate chatbot behavior or disable chatbot functionality by altering stored data, impacting user experience and trust. Organizations relying on this plugin for customer interaction or content generation may face operational disruptions. Additionally, exposure of the API key could lead to further attacks against the OpenAI API or associated services. The lack of authentication requirement and remote exploitability increases the risk, especially for publicly accessible WordPress sites. While no known exploits exist yet, the vulnerability could be leveraged in targeted attacks or automated scanning campaigns.

Organizations should immediately upgrade the AI ChatBot with ChatGPT and Content Generator by AYS plugin to version 2.7.6 or later, where the vulnerability is fully fixed. Until the upgrade is applied, restrict access to the WordPress admin and plugin endpoints using web application firewalls (WAFs) or IP whitelisting to limit exposure. Review and rotate the ChatGPT API keys used by the plugin to invalidate any potentially compromised keys. Implement monitoring for unusual API usage patterns that could indicate abuse. Conduct regular security audits of WordPress plugins and remove or replace plugins that are no longer maintained or have known vulnerabilities. Additionally, apply the principle of least privilege for WordPress user roles to minimize the impact of any unauthorized access.