Arbitrary File Deletion Vulnerability in AI ChatBot Plugin for WordPress
CVE-2023-5212

8.1HIGH

Key Information:

Vendor: Wordpress
Status: AI ChatBot
Vendor: CVE Published:; 19 October 2023

Summary

The AI ChatBot plugin for WordPress contains a vulnerability that allows authenticated users with subscriber privileges to delete arbitrary files on the server. This flaw, present in versions up to 4.8.9 and also in version 4.9.2, can lead to complete site takeover for affected installations, as well as other sites sharing the same hosting environment. The issue was initially addressed in version 4.9.1 but was later reintroduced and subsequently fixed in 4.9.3.

Affected Version(s)

AI ChatBot * <= 4.8.9

AI ChatBot 4.9.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/chatbot/trunk/...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 19, 2023
Vulnerability Reserved
Sep 26, 2023

Credit

Marco Wotschka

Chloe Chamberland