CVE-2023-5204

CRITICAL NUCLEI

Quantumcloud Wpbot < 4.9.1 - SQL Injection

Title source: rule

Description

The ChatBot plugin for WordPress is vulnerable to SQL Injection via the $strid parameter in versions up to, and including, 4.8.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Exploits (1)

nomisec WORKING POC 7 stars

by RandomRobbieBF · poc

https://github.com/RandomRobbieBF/CVE-2023-5204

View Code ZIP pw:eip

Nuclei Templates (1)

WordPress AI ChatBot (WPBot) <= 4.8.9 - SQL Injection

CRITICALVERIFIEDby Shivam Kamboj

References (4)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/175371/WordPress-AI-ChatBot-4.8.9-SQL-Injection-Traversal-File-Deletion.html

[Product] https://plugins.trac.wordpress.org/browser/chatbot/trunk/qcld-wpwbot-search.php?rev=2957286#L177

[Patch] https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2977505%40chatbot%2Ftrunk&old=2967435%40chatbot%2Ftrunk&sfp_email=&sfph_mail=

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/5ad12146-200b-48e5-82de-7572541edcc4?source=cve

Scores

CVSS v3 9.8

EPSS 0.8698

EPSS Percentile 99.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (2)

quantumcloud/wpbot < 4.9.1

quantumcloud/WPBot – AI ChatBot for Live Support, Lead Generation, AI Services < 4.8.9

Published Oct 19, 2023

Tracked Since Feb 18, 2026