Vulnerability  ·  2026-07-03

OpenAI Chatbot Helper WordPress Plugin — Unauthenticated Arbitrary Content Deletion (CVE-2025-69134)

VulnerabilityHigh impactGlobalCVE-2025-69134
CVE-2025-69134 (CVSS 7.5 High) was published to NVD on 2 July 2026. The OpenAI Chatbot for WordPress Helper plugin ≤ 1.1.4 does not require authentication for its content deletion functionality, allowing any unauthenticated user to delete arbitrary site content.
Plugins bridging WordPress with OpenAI APIs are increasingly common in content-heavy deployments. An unauthenticated deletion endpoint allows attackers to destroy site content — including AI-generated and human-written posts — without any credentials, causing availability and integrity damage to AI-assisted publishing workflows.
An unauthenticated remote attacker sends a crafted HTTP request to the plugin's deletion endpoint. Missing authentication allows the request to delete arbitrary WordPress content (posts, pages, attachments).
OpenAI Chatbot for WordPress – Helper plugin ≤ 1.1.4
Update to Helper plugin version 1.1.5 or later. Advisory: https://patchstack.com/database/wordpress/plugin/helper/vulnerability/wordpress-openai-chatbot-for-wordpress-helper-plugin-1-1-4-arbitrary-content-deletion-vulnerability
Sources
NVD — CVE-2025-69134Patchstack Advisory
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →