What happened
CVE-2025-69134 (CVSS 7.5 High) was published to NVD on 2 July 2026. The OpenAI Chatbot for WordPress Helper plugin ≤ 1.1.4 does not require authentication for its content deletion functionality, allowing any unauthenticated user to delete arbitrary site content.
Why it matters
Plugins bridging WordPress with OpenAI APIs are increasingly common in content-heavy deployments. An unauthenticated deletion endpoint allows attackers to destroy site content — including AI-generated and human-written posts — without any credentials, causing availability and integrity damage to AI-assisted publishing workflows.
Attack vector
An unauthenticated remote attacker sends a crafted HTTP request to the plugin's deletion endpoint. Missing authentication allows the request to delete arbitrary WordPress content (posts, pages, attachments).
Affected systems
OpenAI Chatbot for WordPress – Helper plugin ≤ 1.1.4
Mitigation
Update to Helper plugin version 1.1.5 or later. Advisory: https://patchstack.com/database/wordpress/plugin/helper/vulnerability/wordpress-openai-chatbot-for-wordpress-helper-plugin-1-1-4-arbitrary-content-deletion-vulnerability