What happened
CVE-2025-69134 (CVSS 7.5 High, published 2026-07-02) affects the 'OpenAI Chatbot for WordPress – Helper' plugin through version 1.1.4. An unauthenticated attacker can delete arbitrary WordPress content (posts, pages, custom post types) through an unprotected endpoint, with no authentication required.
Why it matters
This plugin integrates OpenAI's API into WordPress for chatbot functionality. Unauthenticated content deletion allows attackers to destroy the knowledge base, conversation logs, or configuration posts that feed the AI chatbot — effectively disabling or defacing the AI-powered customer interface of affected sites without any credentials.
Attack vector
Unauthenticated HTTP request to the vulnerable endpoint with a target content ID causes permanent deletion of WordPress content without any credential requirement.
Affected systems
OpenAI Chatbot for WordPress – Helper plugin ≤ 1.1.4
Mitigation
Update to a patched version beyond 1.1.4 or remove the plugin if unused. Patchstack advisory: https://patchstack.com/database/wordpress/plugin/helper/vulnerability/wordpress-openai-chatbot-for-wordpress-helper-plugin-1-1-4-arbitrary-content-deletion-vulnerability