Arbitrary File Deletion Vulnerability in AI ChatBot Plugin for WordPress
CVE-2023-5212

9.6CRITICAL

Key Information:

Vendor: WordPress
Status: WPbot – Ai Chatbot For Live Support, Lead Generation, Ai Services
Vendor: CVE Published:; 19 October 2023

What is CVE-2023-5212?

The AI ChatBot plugin for WordPress contains a vulnerability that allows authenticated users with subscriber privileges to delete arbitrary files on the server. This flaw, present in versions up to 4.8.9 and also in version 4.9.2, can lead to complete site takeover for affected installations, as well as other sites sharing the same hosting environment. The issue was initially addressed in version 4.9.1 but was later reintroduced and subsequently fixed in 4.9.3.

Affected Version(s)

WPBot – AI ChatBot for Live Support, Lead Generation, AI Services 0 <= 4.8.9

WPBot – AI ChatBot for Live Support, Lead Generation, AI Services 4.9.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/chatbot/trunk/...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 19, 2023
Vulnerability Reserved
Sep 26, 2023

Credit

Marco Wotschka

Chloe Chamberland

CVE-2023-5212 Data

JSON