CVE-2023-1651

CWE-79Cross-site Scripting (XSS)CWE-352Cross-Site Request Forgery (CSRF)3 documents3 sources
Severity
5.4MEDIUM
EPSS
0.1%
top 66.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown AI ChatbotQuantumcloud Wpbot
Timeline
PublishedMay 8

Description

The AI ChatBot WordPress plugin before 4.4.9 does not have authorisation and CSRF in the AJAX action responsible to update the OpenAI settings, allowing any authenticated users, such as subscriber to update them. Furthermore, due to the lack of escaping of the settings, this could also lead to Stored XSS

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

CVEListV5unknown/ai_chatbot< 4.4.9
NVDquantumcloud/wpbot< 4.4.9

🔴Vulnerability Details

2
GHSA
GHSA-3fx8-h7hv-rjf7: The AI ChatBot WordPress plugin before 42023-05-08
CVEList
ChatBot < 4.4.9 - Subscriber+ OpenAI Settings Update to Stored XSS2023-05-08
CVE-2023-1651 (MEDIUM CVSS 5.4) | The AI ChatBot WordPress plugin bef | cvebase.io