Vulnerability  ·  2026-07-04

OpenAI WordPress Chatbot Helper Plugin — Unauthenticated Arbitrary Content Deletion (CVE-2025-69134)

VulnerabilityMedium impactGlobalCVE-2025-69134
CVE-2025-69134 (CVSS 7.5 High, published 2026-07-02) affects the 'OpenAI Chatbot for WordPress – Helper' plugin through version 1.1.4. An unauthenticated attacker can delete arbitrary WordPress content (posts, pages, custom post types) through an unprotected endpoint, with no authentication required.
This plugin integrates OpenAI's API into WordPress for chatbot functionality. Unauthenticated content deletion allows attackers to destroy the knowledge base, conversation logs, or configuration posts that feed the AI chatbot — effectively disabling or defacing the AI-powered customer interface of affected sites without any credentials.
Unauthenticated HTTP request to the vulnerable endpoint with a target content ID causes permanent deletion of WordPress content without any credential requirement.
OpenAI Chatbot for WordPress – Helper plugin ≤ 1.1.4
Update to a patched version beyond 1.1.4 or remove the plugin if unused. Patchstack advisory: https://patchstack.com/database/wordpress/plugin/helper/vulnerability/wordpress-openai-chatbot-for-wordpress-helper-plugin-1-1-4-arbitrary-content-deletion-vulnerability
NVD — CVE-2025-69134Patchstack Advisory
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →