CVE-2024-13091
CRITICALWPBot Pro Wordpress Chatbot <13.5.4 - File Upload
Title source: llmDescription
The WPBot Pro Wordpress Chatbot plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'qcld_wpcfb_file_upload' function in all versions up to, and including, 13.5.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The exploit requires thee ChatBot Conversational Forms plugin and the Conversational Form Builder Pro addon plugin.
References (2)
Core 2
Core References
Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/0f9b6979-2662-4d2f-9656-b880dd80832c?source=cve
Product
https://www.wpbot.pro/
Scores
CVSS v3
9.8
EPSS
0.1024
EPSS Percentile
93.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-434
Status
published
Products (2)
QuantumCloud/WPBot Pro Wordpress Chatbot
< 13.5.4
wpbot/wpot
< 13.5.6
Published
Jan 22, 2025
Tracked Since
Feb 18, 2026