CVE-2023-5212

moderate-risk
Published 2023-10-19

The AI ChatBot plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 4.8.9 as well as version 4.9.2. This makes it possible for authenticated attackers with subscriber privileges to delete arbitrary files on the server, which makes it possible to take over affected sites as well as others sharing the same hosting account. Version 4.9.1 originally addressed the issue, but it was reintroduced in 4.9.2 and fixed again in 4.9.3.

Do I need to act?

-
0.31% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.6/10 Critical
NETWORK / LOW complexity

Affected Products (2)

Affected Vendors

Quantumcloud

References (7)

Product https://plugins.trac.wordpress.org/browser/chatbot/trunk/includes/openai/qcld-bo...
Patch https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new...
Third Party Advisory https://www.wordfence.com/threat-intel/vulnerabilities/id/5b3f4ccb-fcc6-42ec-8e9...
Third Party Advisory http://packetstormsecurity.com/files/175371/WordPress-AI-ChatBot-4.8.9-SQL-Injec...
Product https://plugins.trac.wordpress.org/browser/chatbot/trunk/includes/openai/qcld-bo...
Patch https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new...
Third Party Advisory https://www.wordfence.com/threat-intel/vulnerabilities/id/5b3f4ccb-fcc6-42ec-8e9...
40
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 1/34 · Minimal
Exposure 7/34 · Low