Stored Cross-Site Scripting in WPBot - AI ChatBot for Live Support by WordPress
CVE-2026-13731

7.2HIGH

What is CVE-2026-13731?

The WPBot – AI ChatBot for Live Support, Lead Generation, AI Services plugin for WordPress suffers from a stored Cross-Site Scripting vulnerability. This issue arises from inadequate input sanitization and output escaping associated with the 'conversation' parameter, affecting all versions up to and including 8.4.9. Attackers, even without authentication, can inject malicious web scripts that execute within the context of the user's session when they access compromised pages. The AJAX nonce, required for valid request authentication, is inadvertently exposed on frontend pages through the wp_localize_script function, making it easily accessible for exploitation by unauthorized users.

Affected Version(s)

WPBot – AI ChatBot for Live Support, Lead Generation, AI Services 0 <= 8.4.9

References

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

PRISM
.