cbcvebase.
CVE-2023-5204
published 2023-10-19

CVE-2023-5204: The ChatBot plugin for WordPress is vulnerable to SQL Injection via the $strid parameter in versions up to, and including, 4.8.9 due to insufficient escaping…

PriorityP264high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
6.89%
93.3th percentile
The ChatBot plugin for WordPress is vulnerable to SQL Injection via the $strid parameter in versions up to, and including, 4.8.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Affected

1 ranges
VendorProductVersion rangeFixed in
quantumcloudwpbot< 4.9.14.9.1

Detection & IOCsextracted from sources · hover to see the quote

sigma
title: CVE-2023-5204 WordPress AI ChatBot SQLi
condition: and
detection:
  selection:
    - 'status_code == 200'
    - 'contains_all(body, "\"status\":\"success\"", "\"data\"")'
  filter:
    - 'contains(uri, "chatbot")'
    - 'param_value matches ".*\'.*"'
  • Unauthenticated SQL injection via the `$strid` parameter in the ChatBot plugin for WordPress (versions <= 4.8.9). Monitor for SQL metacharacters (e.g., single quotes, UNION/SELECT keywords) appended to the strid parameter in requests targeting the plugin's endpoints.
  • Detection rule targets HTTP 200 responses whose body contains both '"status":"success"' and '"data"', which may indicate successful SQL injection data exfiltration from the ChatBot plugin.
  • The vulnerable parameter is `$strid`; look for anomalous or oversized values in this parameter in web server logs for requests to the WPBot/ChatBot plugin endpoints.
  • ·The Sigma-style rule snippet is incomplete (no explicit `logsource` or full field mappings); it requires adaptation to your SIEM/WAF log schema before deployment.
  • ·The rule digest provided may be used to verify rule integrity: ensure it matches before trusting the rule in production.
  • ·The vulnerability affects all unauthenticated users, meaning no session or authentication token is required to trigger the injection — perimeter controls relying solely on authentication checks will not block exploitation.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.