Assistio
Monthly
Unauthorized settings deletion in the Assistio WordPress plugin (versions ≤ 1.1.2) allows any authenticated Subscriber-level user to invoke the assistio_plugin_delete_assistio_settings() function and wipe critical plugin options, including the 'assistiobot_oauth_settings' OAuth token, breaking the site's Assistio bot integration. The function lacks both WordPress capability verification and nonce validation - two standard WordPress security controls - meaning the authorization boundary is entirely absent. No public exploit has been identified at time of analysis and no CISA KEV listing exists; the CVSS score of 4.3 accurately reflects the limited but real integrity impact against low-privilege authenticated attackers.
Unauthorized settings deletion in the Assistio WordPress plugin (versions ≤ 1.1.2) allows any authenticated Subscriber-level user to invoke the assistio_plugin_delete_assistio_settings() function and wipe critical plugin options, including the 'assistiobot_oauth_settings' OAuth token, breaking the site's Assistio bot integration. The function lacks both WordPress capability verification and nonce validation - two standard WordPress security controls - meaning the authorization boundary is entirely absent. No public exploit has been identified at time of analysis and no CISA KEV listing exists; the CVSS score of 4.3 accurately reflects the limited but real integrity impact against low-privilege authenticated attackers.