WordPress Plugin Vulnerabilities

AI ChatBot < 4.9.3 - Missing authorization in AJAX calls

Description

The plugin does not check capabilities when processing AJAX actions, allowing unauthenticated attackers to perform actions intended for higher privileged users.

This vulnerability is the same as CVE-2023-5533 but was reintroduced in version 4.9.2.

Affects Plugins

Plugin icon
chatbot
Fixed in 4.9.3

References

CVE
CVE-2023-5656
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/chatbot/ai-chatbot-489-missing-authorization-on-ajax-actions

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Marco Wotschka
Verified
No
WPVDB ID
3ea9a271-ca02-484c-bc59-e650e03db601

Timeline

Publicly Published
2023-10-11 (about 2 years ago)
Added
2023-10-24 (about 2 years ago)
Last Updated
2023-10-24 (about 2 years ago)

Other

Published
Title
Published
2025-01-31
Title
WooCommerce Support Ticket System < 17.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion and Information Exposure
Published
2023-12-07
Title
Social Media Feather < 2.1.4 - Subscriber+ Unauthorised Action
Published
2025-09-22
Title
Team < 5.0.7 - Missing Authorization
Published
2024-07-05
Title
Business One Page < 1.3.0 - Missing Authorization to Notice Dismissal
Published
2025-11-20
Title
Offload, AI & Optimize with Cloudflare Images < 1.9.6 - Missing Authorization