CVE-2025-62154
Lifecycle Timeline
2Description
Missing Authorization vulnerability in recorp AI Content Writing Assistant (Content Writer, ChatGPT, Image Generator) All in One ai-content-writing-assistant allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Content Writing Assistant (Content Writer, ChatGPT, Image Generator) All in One: from n/a through <= 1.1.7.
Analysis
Missing authorization in the AI Content Writing Assistant WordPress plugin (versions up to 1.1.7) allows unauthenticated or low-privileged users to access restricted functionality through incorrectly configured access controls. The vulnerability exploits broken access control logic (CWE-862) that fails to properly validate user permissions before granting access to sensitive operations. While EPSS scoring indicates low exploitation probability (0.04th percentile), the authentication bypass nature of the flaw creates a direct pathway for unauthorized feature access.
Technical Context
The AI Content Writing Assistant plugin integrates content generation, ChatGPT integration, and image generation capabilities into WordPress. The vulnerability stems from a missing authorization check mechanism (CWE-862: Missing Authorization) in the WordPress plugin architecture, where access control decisions are not properly enforced at the API or function handler level. WordPress plugins typically use nonce verification and role-based capability checks (via user meta and wp_capabilities) to restrict access; this plugin fails to implement or correctly validate these controls. The affected plugin versions (up to 1.1.7) do not perform adequate permission validation before exposing premium or administrative features to the requesting user. This class of vulnerability is common in WordPress plugins when developers bypass the standard get_current_user_id() and current_user_can() WordPress functions or implement them incorrectly.
Affected Products
The vulnerability affects the AI Content Writing Assistant (Content Writer, ChatGPT, Image Generator) All in One WordPress plugin in versions from inception through 1.1.7 inclusive. The plugin is identified by the CPE-like identifier ai-content-writing-assistant and is distributed via the WordPress plugin repository. Full vulnerability details and affected version confirmation are available in the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Plugin/ai-content-writing-assistant/vulnerability/wordpress-ai-content-writing-assistant-content-writer-chatgpt-image-generator-all-in-one-plugin-1-1-7-broken-access-control-vulnerability.
Remediation
Update the AI Content Writing Assistant plugin to the earliest patched version above 1.1.7 (version 1.1.8 or later if available from the plugin repository). Users should navigate to WordPress Dashboard > Plugins > Installed Plugins, locate 'AI Content Writing Assistant,' and click 'Update Now' if a newer version is available. If automatic updates are not configured, manually download the latest version from the WordPress Plugin Directory and upload via Dashboard > Plugins > Add New > Upload Plugin. Verify the plugin activation and test core features post-update. Until an update is available, consider deactivating the plugin if it is non-critical to operations. For additional remediation context and to confirm patch availability, consult the vendor advisory at Patchstack (https://patchstack.com/database/Wordpress/Plugin/ai-content-writing-assistant/) and check the official plugin repository changelog.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today