CVE-2023-5241

CWE-22Path Traversal3 documents3 sources
Severity
8.1HIGH
EPSS
2.4%
top 14.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Quantumcloud Wpbot
Timeline
PublishedOct 19

Description

The AI ChatBot for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.8.9 as well as 4.9.2 via the qcld_openai_upload_pagetraining_file function. This allows subscriber-level attackers to append "<?php" to any existing file on the server resulting in potential DoS when appended to critical files such as wp-config.php.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:HExploitability: 3.1 | Impact: 5.8

Affected Packages1 packages

NVDquantumcloud/wpbot< 4.9.1+1

Patches

Patch: plugins.trac.wordpress.orgPatch: plugins.trac.wordpress.org

🔴Vulnerability Details

2
CVEList
AI ChatBot <= 4.8.9 and 4.9.2 - Authenticated (Subscriber+) Directory Traversal to Arbitrary File Write via qcld_openai_upload_pagetraining_file2023-10-19
GHSA
GHSA-v28w-vh2w-263g: The AI ChatBot for WordPress is vulnerable to Directory Traversal in versions up to, and including, 42023-10-19
CVE-2023-5241 (HIGH CVSS 8.1) | The AI ChatBot for WordPress is vul | cvebase.io