CVE-2023-5204

CRITICAL NUCLEI

WPBot AI ChatBot <= 4.8.9 - Unauthenticated SQL Injection via $strid

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-5204. PoCs published by RandomRobbieBF. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository provides a proof-of-concept for CVE-2023-5204, an unauthenticated SQL injection vulnerability in the AI ChatBot WordPress plugin. The PoC uses sqlmap to demonstrate exploitation via the 'strid' parameter in the 'wpbo_search_response' action.

Description

The ChatBot plugin for WordPress is vulnerable to SQL Injection via the $strid parameter in versions up to, and including, 4.8.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Exploits (1)

nomisec WORKING POC 7 stars

by RandomRobbieBF · poc

https://github.com/RandomRobbieBF/CVE-2023-5204

View Code ZIP pw:eip

This repository provides a proof-of-concept for CVE-2023-5204, an unauthenticated SQL injection vulnerability in the AI ChatBot WordPress plugin. The PoC uses sqlmap to demonstrate exploitation via the 'strid' parameter in the 'wpbo_search_response' action.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: AI ChatBot WordPress plugin <= 4.8.9

No auth needed

Prerequisites: Access to the target WordPress site · sqlmap installed

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

WordPress AI ChatBot (WPBot) <= 4.8.9 - SQL Injection

CRITICALVERIFIEDby Shivam Kamboj

References (4)

Core 4

Core References

Exploit, Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/175371/WordPress-AI-ChatBot-4.8.9-SQL-Injection-Traversal-File-Deletion.html

Product

https://plugins.trac.wordpress.org/browser/chatbot/trunk/qcld-wpwbot-search.php?rev=2957286#L177

Patch

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2977505%40chatbot%2Ftrunk&old=2967435%40chatbot%2Ftrunk&sfp_email=&sfph_mail=

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/5ad12146-200b-48e5-82de-7572541edcc4?source=cve

Scores

CVSS v3 9.8

EPSS 0.0689

EPSS Percentile 93.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (2)

quantumcloud/wpbot < 4.9.1

quantumcloud/WPBot – AI ChatBot for Live Support, Lead Generation, AI Services < 4.8.9

Published Oct 19, 2023

Tracked Since Feb 18, 2026