Hive Support WordPress Plugin Missing Authorization Vulnerability in AI Chat Settings Update and Binbox Retrieval Functions
Vulnerability
A vulnerability exists in the Hive Support plugin for WordPress, specifically in versions through 1.2.4. The issue arises from a lack of proper capability checks in the 'hs_update_ai_chat_settings()' and 'hive_lite_support_get_all_binbox()' functions. This flaw allows authenticated attackers with Subscriber-level access or higher to unauthorized access and modification of data. Exploitation could lead to unauthorized reading and overwriting of the site's OpenAI API key, inspection data, and AI chat prompts and behavior.
Impact
Exploitation of this vulnerability could result in unauthorized access to and modification of sensitive data, including the OpenAI API key and related inspection data, as well as AI chat prompts and behavior.
Remediation
No known patch is available. It is recommended to review the vulnerability details and consider uninstalling the affected plugin.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.