WordPress 7.0 Flaw Exposes AI API Keys to Cybercriminals

Image credit: Search Engine Journal

A critical security vulnerability in WordPress 7.0 is exposing highly valuable AI API keys in plain text, making WordPress sites significantly more attractive targets for cybercriminals globally.

The flaw allows hackers to potentially steal credentials worth tens of thousands of dollars, enabling them to power AI bot networks for social engineering, phishing campaigns and malware creation, according to cybersecurity experts.

Oliver Sild, founder of security firm Patchstack, warned of an impending surge in hacker activity aimed at acquiring these AI API keys due to their substantial monetary value and potential for misuse.

The security bug specifically exposes AI API keys through browser autofill suggestions during the integration setup process, making them vulnerable to theft during screen sharing sessions or when shared computers are used, Sild said.

These keys are essential for WordPress plugins and themes to interact with artificial intelligence services such as OpenAI, Anthropic‘s Claude and Google Gemini, and are used for billing purposes.

Stolen AI API keys could be exploited by malicious actors to generate sophisticated phishing content, craft advanced malware or access sensitive data, according to security researchers.

WordPress co-founder Matt Mullenweg maintained that the “vast majority” of WordPress sites remain secure despite the identified vulnerability.

However, other developers, including Andrei Lupu and Steve Jones of Equalize Digital, highlighted architectural challenges in securing such secrets given WordPress’s long-standing plugin trust model.

Brian Coords, a developer at Automattic, the parent company of WordPress and WooCommerce, acknowledged that the current WordPress architecture, designed before the widespread use of monetizable AI credentials and large language model integrations, struggles with effectively isolating API keys and managing plugin permissions.

The architecture’s design predates the current era of highly valuable, monetizable AI credentials, making effective isolation of API keys and granular management of plugin permissions a significant challenge, Coords told reporters.

Security experts are urging WordPress users and administrators to exercise extreme caution when handling AI API keys and to implement best practices for credential management to mitigate the risks posed by this vulnerability.

Source: Search Engine Journal