Stored Cross-Site Scripting in WPBot - AI ChatBot for Live Support by WordPress
CVE-2026-13731
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 1 July 2026
What is CVE-2026-13731?
The WPBot β AI ChatBot for Live Support, Lead Generation, AI Services plugin for WordPress suffers from a stored Cross-Site Scripting vulnerability. This issue arises from inadequate input sanitization and output escaping associated with the 'conversation' parameter, affecting all versions up to and including 8.4.9. Attackers, even without authentication, can inject malicious web scripts that execute within the context of the user's session when they access compromised pages. The AJAX nonce, required for valid request authentication, is inadvertently exposed on frontend pages through the wp_localize_script function, making it easily accessible for exploitation by unauthorized users.
Affected Version(s)
WPBot β AI ChatBot for Live Support, Lead Generation, AI Services 0 <= 8.4.9