AI ChatBot < 4.9.1 and 4.9.2 - Authenticated (Subscriber+) Directory Traversal to Arbitrary File Write via qcld_openai_upload_pagetraining_file

Description The AI ChatBot for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.8.9 as well as 4.9.2 via the qcldopenaiuploadpagetrainingfile function. This allows subscriber-level attackers to append "...

Malicious Abrax666 AI Chatbot Exposed as Potential Scam

By Waqas Abrax666 AI Chatbot is being boasted by its developer as a malicious alternative to ChatGPT, claiming it's a perfect multitasking tool for both ethical and unethical activities. This is a post from HackRead.com Read the original post: Malicious Abrax666 AI Chatbot Exposed as Potential Sc...

CVE-2023-5606

The ChatBot for WordPress is vulnerable to Stored Cross-Site Scripting via the FAQ Builder in versions 4.8.6 through 4.9.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject...

CVE-2023-5606

The ChatBot for WordPress is vulnerable to Stored Cross-Site Scripting via the FAQ Builder in versions 4.8.6 through 4.9.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject...

CVE-2023-5606

The ChatBot for WordPress is vulnerable to Stored Cross-Site Scripting via the FAQ Builder in versions 4.8.6 through 4.9.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject...

CVE-2023-5606

The CVE-2023-5606 issue affects the WordPress Plugin ChatBot, specifically versions 4.8.6 through 4.9.6. The root cause is insufficient input sanitization and output escaping in the FAQ Builder, enabling Stored Cross-Site Scripting. Impact is limited to sites using multisite installations or with...

WordPress Plugin ChatBot Cross-Site Scripting Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...

WordPress ChatBot Plugin 4.8.6-4.9.6 is vulnerable to Cross Site Scripting (XSS)

Software ChatBot Type Plugin Vulnerable versions 4.8.6-4.9.6 Fixed in 4.9.7 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-5606 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 5c671cd5cf6e Credits Huynh Tien Si Required...

WordPress AI ChatBot 4.8.9 SQL Injection / Traversal / File Deletion Vulnerabilities

Vulnerability Details and Technical Analysis The AI ChatBot plugin provides website owners with a plug and play chat solution that can be expanded upon with customizable FAQs and custom text responses. It provides website users with an interface that allows them to look up order information, leav...

WordPress AI ChatBot 4.8.9 SQL Injection / Traversal / File Deletion

Vulnerability Details and Technical Analysis The AI ChatBot plugin provides website owners with a plug and play chat solution that can be expanded upon with customizable FAQs and custom text responses. It provides website users with an interface that allows them to look up order information, leav...

Several Critical Vulnerabilities Patched in AI ChatBot Plugin for WordPress

On September 28, 2023, the Wordfence Threat Intelligence team initiated the responsible disclosure process for multiple vulnerabilities in AI ChatBot, a WordPress plugin with over 4,000 active installations. After making our initial contact attempt on September 28th, 2023, we received a response ...

Microsoft is Soft-Launching Security Copilot

Microsoft has announced an early access program for its LLM-based security chatbot assistant: Security Copilot. I am curious whether this thing is actually useful...

AI ChatBot < 4.9.3 - Cross-Site Request Forgery (CSRF)

Description The plugin does not protect some of its actions against CSRF attacks, allowing an unauthenticated attacker to perform actions on their behalf by tricking a logged in user to submit a crafted request. This vulnerability is the same as CVE-2023-5534, but was reintroduced in version 4.9....

AI ChatBot < 4.9.3 - Subscriber+ Arbitrary File Deletion

Description The plugin does not properly validate files to be deleted in the qcldopenaideletetrainingfile function, allowing users with roles as low as subscriber to delete arbitrary files on the server. This vulnerability is the same as CVE-2023-5212 but was accidentally reintroduced in version...

AI ChatBot < 4.9.3 - Missing authorization in AJAX calls

Description The plugin does not check capabilities when processing AJAX actions, allowing unauthenticated attackers to perform actions intended for higher privileged users. This vulnerability is the same as CVE-2023-5533 but was reintroduced in version 4.9.2...

AI ChatBot < 4.9.1 - Missing authorization in AJAX calls

Description The plugin does not check capabilities when processing AJAX actions, allowing unauthenticated attackers to perform actions intended for higher privileged users...

CVE-2023-5533

The AI ChatBot plugin for WordPress is vulnerable to unauthorized use of AJAX actions due to missing capability checks on the corresponding functions in versions up to, and including, 4.8.9 as well as 4.9.2. This makes it possible for unauthenticated attackers to perform some of those actions tha...

CVE-2023-5534

The AI ChatBot plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.8.9 and 4.9.2. This is due to missing or incorrect nonce validation on the corresponding functions. This makes it possible for unauthenticated attackers to invoke those functions vi...

Design/Logic Flaw

The AI ChatBot plugin for WordPress is vulnerable to unauthorized use of AJAX actions due to missing capability checks on the corresponding functions in versions up to, and including, 4.8.9 as well as 4.9.2. This makes it possible for unauthenticated attackers to perform some of those actions tha...

CVE-2023-5533

CVE-2023-5533 affects the WordPress AI ChatBot plugin. The vulnerability arises from missing capability checks on multiple AJAX actions, allowing unauthenticated users to invoke actions intended for higher-privileged users. Affected versions are up to and including 4.8.9 and also 4.9.2. Wordfence...