CVE-2023-1651 ChatBot < 4.4.9 - Subscriber+ OpenAI Settings Update to Stored XSS

2023-05-0813:58:09

WPScan

www.cve.org

chatbot

wordpress

plugin

v4.4.9

security

update

stored xss

openai

settings

csrf

ajax

authorisation

0.001 Low

EPSS

Percentile

23.6%

JSON

The AI ChatBot WordPress plugin before 4.4.9 does not have authorisation and CSRF in the AJAX action responsible to update the OpenAI settings, allowing any authenticated users, such as subscriber to update them. Furthermore, due to the lack of escaping of the settings, this could also lead to Stored XSS

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "AI ChatBot",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "4.4.9"
      }
    ],
    "defaultStatus": "unaffected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]

References

wpscan.com/vulnerability/c88b22ba-4fc2-49ad-a457-224157521bad

0.001 Low

EPSS

Percentile

23.6%

JSON

Related for CVELIST:CVE-2023-1651