Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Network AJAX endpoint reachable by any Subscriber (PR:L, AV:N, AC:L); impact is settings deletion only, no confidentiality or code execution path (C:N, A:N, I:L).
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Assistio plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and missing nonce verification on the assistio_plugin_delete_assistio_settings() function in versions up to, and including, 1.1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's options including the critical 'assistiobot_oauth_settings' option, which disrupts the plugin's integration with the Assistio bot service.
AnalysisAI
Unauthorized settings deletion in the Assistio WordPress plugin (versions ≤ 1.1.2) allows any authenticated Subscriber-level user to invoke the assistio_plugin_delete_assistio_settings() function and wipe critical plugin options, including the 'assistiobot_oauth_settings' OAuth token, breaking the site's Assistio bot integration. The function lacks both WordPress capability verification and nonce validation - two standard WordPress security controls - meaning the authorization boundary is entirely absent. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold at minimum a Subscriber-level WordPress account on the target installation - unauthenticated exploitation is not possible per the CVSS PR:L vector. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, score 4.3) accurately characterizes the risk: network-exploitable with low complexity, but constrained to users who already hold a Subscriber account. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who registers or already holds a Subscriber account on the target WordPress site sends a crafted HTTP POST request to the site's admin-ajax.php endpoint, invoking the assistio_plugin_delete_assistio_settings() action. Because the function performs no nonce or capability verification, the request succeeds immediately, deleting the 'assistiobot_oauth_settings' option and disabling the Assistio bot integration. … |
| Remediation | The primary fix is to update the Assistio plugin to a version beyond 1.1.2 once a patched release is published; no vendor-released patched version has been independently confirmed at time of analysis, and the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/754f9598-3b41-4fe3-b290-8422031991a8 should be monitored for patch availability. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38668
GHSA-m3g5-vj32-6hcw