CVE-2023-5254

MEDIUM

ChatBot plugin <4.8.9 - Info Disclosure

Title source: llm

Description

The ChatBot plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.8.9 via the qcld_wb_chatbot_check_user function. This can allow unauthenticated attackers to extract sensitive data including confirmation as to whether a user name exists on the site as well as order information for existing users.

References (3)

Core 3

Core References

Exploit

https://plugins.trac.wordpress.org/browser/chatbot/trunk/functions.php#L1224

Patch

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2977505%40chatbot%2Ftrunk&old=2967435%40chatbot%2Ftrunk&sfp_email=&sfph_mail=

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/d897daf8-5320-4546-9a63-1d34a15b2a58?source=cve

Scores

CVSS v3 5.3

EPSS 0.0077

EPSS Percentile 50.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (2)

quantumcloud/wpbot < 4.9.1

quantumcloud/WPBot – AI ChatBot for Live Support, Lead Generation, AI Services < 4.8.9

Published Oct 19, 2023

Tracked Since Feb 18, 2026