Malicious code in cld-ai-chatbot-web (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 47807a9125d00d52f4b02cf9742fdd7efd42b3b9cc93d5091594127fa5c9771c Any computer that has this package installed or running should be considered...

MAL-2025-41375 Malicious code in cld-ai-chatbot-web (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 47807a9125d00d52f4b02cf9742fdd7efd42b3b9cc93d5091594127fa5c9771c Any computer that has this package installed or running should be considered...

A week in security (July 21 – July 27)

A list of topics we covered in the week of July 21 to July 27 of 2025 Last week on Malwarebytes Labs: Steam games abused to deliver malware once again Watch out: Instagram users targeted in novel phishing campaign Age verification: Child protection or privacy risk? iPhone vs. Android: iPhone user...

SUSE-SU-2025:02529-1 Security update for MozillaFirefox, MozillaFirefox-branding-SLE

This update for MozillaFirefox, MozillaFirefox-branding-SLE fixes the following issues: MozillaFirefox is updated to the 140ESR series. Firefox Extended Support Release 140.0esr ESR: General - Reader View now has an enhanced Text and Layout menu with new options for character spacing, word spacin...

A week in security (July 14 – July 20)

Last week on Malwarebytes Labs: Meta execs pay the pain away with $8 billion privacy settlement Adoption agency leaks over a million records Meta AI chatbot bug could have allowed anyone to see private conversations WeTransfer walks back clause that said it would train AI on your files Chrome fix...

McDonald’s AI bot spills data on job applicants

McDonald's has outsourced the initial stages of its hiring process to an AI chatbot which seems to have been built without proper security measures. Security researchers managed to extract personal information about McDonald's job applicants by simply guessing a username and the password “12345.”...

Limited Canva Creator Data Exposed Via AI Chatbot Database

A Chroma database operated by Russian AI chatbot startup My Jedai was found exposed online, leaking survey responses…...

CVE-2025-24666

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Themeisle AI Chatbot for WordPress – Hyve Lite hyve-lite allows Stored XSS.This issue affects AI Chatbot for WordPress – Hyve Lite: from n/a through = 1.2.2...

CVE-2024-7713

The AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0 discloses the Open AI API Key, allowing unauthenticated users to obtain it...

CVE-2024-6669

The AI ChatBot for WordPress – WPBot plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-0451

The AI ChatBot plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the openaifilelistcallback function in all versions up to, and including, 5.3.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to lis...

CVE-2023-24415

Cross-Site Request Forgery CSRF vulnerability in QuantumCloud AI ChatBot plugin = 4.2.8 versions...

CVE-2023-48741

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in QuantumCloud AI ChatBot.This issue affects AI ChatBot: from n/a through 4.7.8...

CVE-2023-3175

The AI ChatBot WordPress plugin before 4.6.1 does not adequately escape some settings, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed...

CVE-2023-2742

The AI ChatBot WordPress plugin before 4.5.5 does not sanitize and escape its settings, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed...

CVE-2023-1650

The AI ChatBot WordPress plugin before 4.4.7 unserializes user input from cookies via an AJAX action available to unauthenticated users, which could allow them to perform PHP Object Injection when a suitable gadget is present on the blog...

CVE-2023-1649

The AI ChatBot WordPress plugin before 4.5.1 does not sanitise and escape numerous of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2023-5241

The AI ChatBot for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.8.9 as well as 4.9.2 via the qcldopenaiuploadpagetrainingfile function. This allows subscriber-level attackers to append "...

CVE-2023-5534

The AI ChatBot plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.8.9 and 4.9.2. This is due to missing or incorrect nonce validation on the corresponding functions. This makes it possible for unauthenticated attackers to invoke those functions vi...

CVE-2022-47613

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in QuantumCloud AI ChatBot plugin = 4.3.0 versions...