{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12043", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-21T19:03:42.165Z", "datePublished": "2025-11-25T07:28:18.304Z", "dateUpdated": "2026-04-08T16:34:17.716Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:17.716Z"}, "affected": [{"vendor": "autochat", "product": "Autochat Automatic Conversation", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Autochat Automatic Conversation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_nopriv_auycht_saveCid' AJAX endpoint in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to connect and disconnect the client ID."}], "title": "Autochat Automatic Conversation <= 1.1.9 - Missing Authorization to Unauthenticated Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/089b3a1b-0f4b-4ba5-85d8-c1f6b74fe7eb?source=cve"}, {"url": "https://wordpress.org/plugins/auyautochat-for-wp/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "timeline": [{"time": "2025-11-24T19:14:49.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-25T14:46:30.350550Z", "id": "CVE-2025-12043", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-25T14:46:42.572Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12043", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-25T14:46:30.350550Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-25T14:46:32.983Z"}}], "cna": {"title": "Autochat Automatic Conversation <= 1.1.9 - Missing Authorization to Unauthenticated Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "autochat", "product": "Autochat Automatic Conversation", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.1.9"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-24T19:14:49.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/089b3a1b-0f4b-4ba5-85d8-c1f6b74fe7eb?source=cve"}, {"url": "https://wordpress.org/plugins/auyautochat-for-wp/"}], "descriptions": [{"lang": "en", "value": "The Autochat Automatic Conversation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_nopriv_auycht_saveCid' AJAX endpoint in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to connect and disconnect the client ID."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-11-25T07:28:18.304Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12043", "state": "PUBLISHED", "dateUpdated": "2025-11-25T14:46:42.572Z", "dateReserved": "2025-10-21T19:03:42.165Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-25T07:28:18.304Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Autochat Automatic Conversation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_nopriv_auycht_saveCid' AJAX endpoint in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to connect and disconnect the client ID."}], "id": "CVE-2025-12043", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-25T08:15:48.157", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/auyautochat-for-wp/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/089b3a1b-0f4b-4ba5-85d8-c1f6b74fe7eb?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T21:02:47.472115+00:00", "value": {"mitigation_remediation": ["Update the Autochat Automatic Conversation plugin to the latest version that addresses the missing capability check.", "If an immediate update is not possible, block or restrict the wp_ajax_nopriv_auycht_saveCid endpoint so that only authenticated users can invoke it, for example by using a security plugin or custom code to drop unauthenticated requests to that URL.", "If the plugin is not critical to the site\u2019s functionality, consider disabling or uninstalling it to eliminate the vulnerability."], "summary": {"action": "Apply Fix", "impact": "Unauthorized Settings Modification"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Autochat Automatic Conversation plugin installed, versions 1.1.9 and earlier, regardless of site role or user authentication state.", "description_and_impact": "The Autochat Automatic Conversation plugin for WordPress is vulnerable because the wp_ajax_nopriv_auycht_saveCid endpoint lacks a capability check. This missing authorization allows any unauthenticated user to send requests that modify the plugin\u2019s client ID, effectively enabling the attacker to connect or disconnect the client from the conversation system. The flaw does not provide direct remote code execution, but it compromises the integrity of the plugin\u2019s configuration and can alter user experience or data flow.", "risk_and_exploitability": "The CVSS structure of 5.3 indicates moderate impact when exploited. However, the EPSS score of less than 1% reflects a very low likelihood of active exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Attackers would simply craft unauthenticated HTTP POST requests to the vulnerable AJAX endpoint, requiring no credentials and minimal effort. Given the lack of an authentication requirement, the vulnerability is readily exploitable as long as the plugin remains installed in a WordPress environment."}}}}, "created": "2025-11-26T11:10:58.899599+00:00", "updated": "2026-04-22T21:15:27.674521+00:00", "vendors": ["autochat", "autochat$PRODUCT$automatic_conversation", "wordpress", "wordpress$PRODUCT$wordpress"]}