CVE-2023-5212

CRITICAL

WPBot AI ChatBot <=4.8.9/4.9.2 - Authenticated Arbitrary File Deletion

Title source: llm

Description

The AI ChatBot plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 4.8.9 as well as version 4.9.2. This makes it possible for authenticated attackers with subscriber privileges to delete arbitrary files on the server, which makes it possible to take over affected sites as well as others sharing the same hosting account. Version 4.9.1 originally addressed the issue, but it was reintroduced in 4.9.2 and fixed again in 4.9.3.

References (4)

Core 4

Core References

Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/175371/WordPress-AI-ChatBot-4.8.9-SQL-Injection-Traversal-File-Deletion.html

Product

https://plugins.trac.wordpress.org/browser/chatbot/trunk/includes/openai/qcld-bot-openai.php?rev=2957286#L576

Patch

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2977505%40chatbot%2Ftrunk&old=2967435%40chatbot%2Ftrunk&sfp_email=&sfph_mail=

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/5b3f4ccb-fcc6-42ec-8e9e-03d69ae7acf2?source=cve

Scores

CVSS v3 9.6

EPSS 0.0163

EPSS Percentile 73.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H

Details

CWE

CWE-22

Status published

Products (4)

quantumcloud/wpbot 4.9.2

quantumcloud/wpbot < 4.9.1

quantumcloud/WPBot – AI ChatBot for Live Support, Lead Generation, AI Services < 4.8.9

quantumcloud/WPBot – AI ChatBot for Live Support, Lead Generation, AI Services 4.9.2

Published Oct 19, 2023

Tracked Since Feb 18, 2026