WordPress Plugin Vulnerabilities

ChatBot 4.8.6 - 4.9.6 - Authenticated (Administrator+) Stored Cross-Site Scripting in FAQ Builder

Description

The ChatBot for WordPress is vulnerable to Stored Cross-Site Scripting via the FAQ Builder in versions 4.8.6 through 4.9.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. NOTE: This vulnerability is a re-introduction of CVE-2023-4253.

Affects Plugins

Plugin icon
chatbot
Fixed in 4.9.7

References

CVE
CVE-2023-5606
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/fc305c48-8337-42b7-ad61-61aea8018def

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.4 (medium)

Miscellaneous

Original Researcher
Huynh Tien Si
Verified
No
WPVDB ID
2ea59637-e788-4d18-9d05-b8ad812ca236

Timeline

Publicly Published
2023-11-01 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2016-11-19
Title
Instagram Feed < 1.4.7 - Authenticated Cross-Site Scripting (XSS) & CSRF
Published
2024-01-17
Title
MapPress Maps for WordPress < 2.88.15 - Contributor+ Stored XSS
Published
2025-02-18
Title
WP Login Control <= 2.0.0 - Reflected XSS
Published
2024-10-11
Title
Forms for Mailchimp by Optin Cat < 2.5.8 - Authenticated (Editor+) Stored Cross-Site Scripting via Form Color Parameters
Published
2024-02-28
Title
Restaurant Solutions – Checklist 1.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting