CVE-2023-1660

CWE-79Cross-site Scripting (XSS)CWE-352Cross-Site Request Forgery (CSRF)3 documents3 sources
Severity
6.1MEDIUM
EPSS
0.4%
top 36.95%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown AI ChatbotQuantumcloud Wpbot
Timeline
PublishedMay 8

Description

The AI ChatBot WordPress plugin before 4.4.9 does not have authorisation and CSRF in a function hooked to init, allowing unauthenticated users to update some settings, leading to Stored XSS due to the lack of escaping when outputting them in the admin dashboard

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

CVEListV5unknown/ai_chatbot< 4.4.9
NVDquantumcloud/wpbot< 4.4.9

🔴Vulnerability Details

2
GHSA
GHSA-c22m-r7gh-963v: The AI ChatBot WordPress plugin before 42023-05-08
CVEList
ChatBot < 4.4.9 - Unauthenticated Stored XSS2023-05-08
CVE-2023-1660 (MEDIUM CVSS 6.1) | The AI ChatBot WordPress plugin bef | cvebase.io