WPBot – AI ChatBot for Live Support, Lead Generation, AI Services < 7.9.9 – Missing Authorization | CVE 2026-40788 | Plugin Vulnerabilities

Description

The WPBot – AI ChatBot for Live Support, Lead Generation, AI Services plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 7.9.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

Fixed in 7.9.9

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/a3f0556e-a875-4f88-b96c-a924f8fe01da

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Mehdi Ouassou

Verified

No

WPVDB ID

2f6e4f53-f18c-413f-9736-202ccfda00f2

Timeline

Publicly Published

2026-04-23 (about 20 days ago)

Added

2026-04-30 (about 13 days ago)

Last Updated

2026-04-30 (about 13 days ago)

Other

Published

Title

Published

2022-04-04

Title

Mycred < 2.4.4.1 - Subscriber+ User E-mail Addresses Disclosure

Published

2025-01-16

Title

Delete All Posts <= 1.1.1 - Missing Authorization

Published

2025-03-31

Title

NanoSupport <= 0.6.0 - Missing Authorization

Published

2024-07-08

Title

Media Hygiene < 3.0.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Attachment Deletion

Published

2025-04-22

Title

Advanced Linked Variations for Woocommerce < 1.0.4 - Missing Authorization