Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2023-5204

CWE-89SQL Injection4 documents4 sources
Severity
7.5HIGH
EPSS
87.0%
top 0.57%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Quantumcloud Wpbot
Timeline
PublishedOct 19

Description

The ChatBot plugin for WordPress is vulnerable to SQL Injection via the $strid parameter in versions up to, and including, 4.8.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

NVDquantumcloud/wpbot< 4.9.1

Patches

Patch: plugins.trac.wordpress.orgPatch: plugins.trac.wordpress.org

🔴Vulnerability Details

2
CVEList
AI ChatBot <= 4.8.9 - Unauthenticated SQL Injection via qc_wpbo_search_response2023-10-19
GHSA
GHSA-xjgr-47gv-2g9p: The ChatBot plugin for WordPress is vulnerable to SQL Injection via the $strid parameter in versions up to, and including, 42023-10-19

💥Exploits & PoCs

1
Nuclei
WordPress AI ChatBot (WPBot) <= 4.8.9 - SQL Injection
CVE-2023-5204 (HIGH CVSS 7.5) | The ChatBot plugin for WordPress is | cvebase.io