ChatBot < 4.4.9 - Subscriber+ OpenAI Settings Update to Stored XSS

The plugin does not have authorisation and CSRF in the AJAX action responsible to update the OpenAI settings, allowing any authenticated users, such as subscriber to update them. Furthermore, due to the lack of escaping of the settings, this could also lead to Stored XSS PoC Run the below command...

ChatBot < 4.5.1 - Admin+ Stored XSS

The plugin does not sanitise and escape numerous of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in the Your...

ChatBot < 4.4.7 - Unauthenticated PHP Object Injection

The plugin unserializes user input from cookies via an AJAX action available to unauthenticated users, which could allow them to perform PHP Object Injection when a suitable gadget is present on the blog PoC To simulate a gadget chain, put the following code in a plugin: class Evil public functio...

WordPress ChatBot Plugin <= 4.4.7 is vulnerable to Broken Access Control

Software ChatBot Type Plugin Vulnerable versions = 4.4.7 Fixed in 4.4.8 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE N/A Patch priority Medium CVSS severity Medium 5.3 Developer Claim ownership PSID 306f61075427 Credits Unknown Required privilege Subscriber...

CVE-2022-47613

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in QuantumCloud AI ChatBot plugin = 4.3.0 versions...

CVE-2023-24415

Cross-Site Request Forgery CSRF vulnerability in QuantumCloud AI ChatBot plugin = 4.2.8 versions...

CVE-2023-24415

Cross-Site Request Forgery CSRF vulnerability in QuantumCloud AI ChatBot plugin = 4.2.8 versions...

PT-2023-19576 · Unknown · Quantumcloud Ai Chatbot Plugin

Name of the Vulnerable Software and Affected Versions: QuantumCloud AI ChatBot plugin versions = 4.2.8 Description: The issue is related to a Cross-Site Request Forgery CSRF vulnerability. This type of vulnerability allows an attacker to trick a user into performing unintended actions on a web...

WordPress ChatBot Plugin <= 4.2.8 is vulnerable to Cross Site Request Forgery (CSRF)

Software ChatBot Type Plugin Vulnerable versions = 4.2.8 Fixed in 4.2.9 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2023-24415 Patch priority Low CVSS severity Low 5.4 Developer Claim ownership PSID 56586a24f6dd Credits Rafshanzani Suhada Required...

WordPress ChatBot Plugin <= 4.3.0 is vulnerable to Cross Site Scripting (XSS)

Software ChatBot Type Plugin Vulnerable versions = 4.3.0 Fixed in 4.3.1 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2022-47613 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 55e5078b9db7 Credits Rafshanzani Suhada Required...

My Chatbot <= 1.1 - Reflected Cross-Site Scripting (XSS)

The plugin does not sanitise or escape its tab parameter in the Settings page before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue PoC https://example.com/wp-admin/options-general.php?page=my-chatbot=%22%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E...