CVE-2023-1650 — Deserialization of Untrusted Data in Wpbot

CWE-502 — Deserialization of Untrusted Data3 documents3 sources

Severity

9.8CRITICALNVD

EPSS

48.8%

top 2.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Quantumcloud Wpbot

Timeline

PublishedMay 8

Description

The AI ChatBot WordPress plugin before 4.4.7 unserializes user input from cookies via an AJAX action available to unauthenticated users, which could allow them to perform PHP Object Injection when a suitable gadget is present on the blog

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

▶NVDquantumcloud/wpbot< 4.4.7

🔴Vulnerability Details

GHSA

GHSA-5fh8-2chr-gvvq: The AI ChatBot WordPress plugin before 4↗2023-05-08

▶

CVEList

ChatBot < 4.4.7 - Unauthenticated PHP Object Injection↗2023-05-08

▶