High severity7.1NVD Advisory· Published Apr 17, 2025· Updated Apr 28, 2026No known patch

CVE-2025-39583

No known patch is available for this vulnerability.

The affected plugin has been removed from the WordPress.org directory (reason: Guideline Violation), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.

CVE-2025-39583

Description

An unauthenticated access control vulnerability in the BERTHA AI WordPress plugin allows privilege escalation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An unauthenticated access control vulnerability in the BERTHA AI WordPress plugin allows privilege escalation.

Vulnerability

The bertha-ai-free WordPress plugin, version 1.12.10.2 and earlier, contains a missing authorization vulnerability in various AJAX actions and REST API endpoints. The plugin improperly validates user capabilities when processing requests, allowing unauthenticated users to trigger server-side functions that should require higher-level (editor or administrator) privileges. The plugin has been closed from the WordPress.org repository [1].

Exploitation

An attacker who can reach a WordPress site running any affected version of the plugin (<= 1.12.10.2) can send crafted HTTP requests to the plugin’s unsecured AJAX callbacks. Because the plugin fails to enforce capability checks on these endpoints, the attacker can invoke administrative actions without any authentication or user interaction [1].

Impact

Successful exploitation allows an unauthenticated attacker to perform arbitrary administrative actions on the WordPress instance, such as modifying site options, installing or activating other plugins, or creating new administrative users. This leads to full site compromise (total loss of confidentiality, integrity, and availability) [1].

Mitigation

As of the published date (2025-04-17), no patched version is available. The plugin was removed from the WordPress.org plugin directory on 2026-01-31 and is no longer distributed. All users should immediately uninstall the plugin and remove any residual files. No workaround exists [1].

References

[CLOSED] BERTHA AI. Your AI co-pilot for WordPress and Chrome

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Bertha/Bertha AIllm-fuzzy
Range: <=1.12.10.2

Patches

Plugin removedBERTHA AI. Your AI co-pilot for WordPress and Chromebertha-ai-free

This plugin has been removed from the WordPress.org directory on 2026-01-31 (reason: Guideline Violation). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.

Source: api.wordpress.org · directory page

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

patchstack.com/database/Wordpress/Plugin/bertha-ai-free/vulnerability/wordpress-bertha-ai-1-12-10-2-arbitrary-content-deletion-vulnerabilitynvd

News mentions

No linked articles in our index yet.

cvss	0.461
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000