Authorization Bypass Vulnerability in WPBot – AI ChatBot for Live Support by WordPress
CVE-2026-15610

4.3MEDIUM

What is CVE-2026-15610?

The WPBot – AI ChatBot for Live Support plugin for WordPress is susceptible to an authorization bypass vulnerability in all versions up to and including 8.5.6. This issue arises because the plugin fails to adequately verify user permissions when executing certain actions. As a result, authenticated attackers with subscriber-level access or higher can exploit this vulnerability to arbitrarily re-embed stored RAG documents, effectively manipulating the rag_documents database table. Consequently, this exploitation can lead to unauthorized consumption of the site owner's paid third-party AI API credits, such as OpenAI, Gemini, OpenRouter, or xAI.

Affected Version(s)

WPBot – AI ChatBot for Live Support, Lead Generation, AI Services 0 <= 8.5.6

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

PRISM
.