Authorization Bypass Vulnerability in WPBot – AI ChatBot for Live Support by WordPress
CVE-2026-15610
4.3MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 16 July 2026
What is CVE-2026-15610?
The WPBot – AI ChatBot for Live Support plugin for WordPress is susceptible to an authorization bypass vulnerability in all versions up to and including 8.5.6. This issue arises because the plugin fails to adequately verify user permissions when executing certain actions. As a result, authenticated attackers with subscriber-level access or higher can exploit this vulnerability to arbitrarily re-embed stored RAG documents, effectively manipulating the rag_documents database table. Consequently, this exploitation can lead to unauthorized consumption of the site owner's paid third-party AI API credits, such as OpenAI, Gemini, OpenRouter, or xAI.
Affected Version(s)
WPBot – AI ChatBot for Live Support, Lead Generation, AI Services 0 <= 8.5.6