WordPress Plugin Vulnerabilities

AI ChatBot < 4.9.3 - Subscriber+ Arbitrary File Deletion

Description

The plugin does not properly validate files to be deleted in the qcld_openai_delete_training_file function, allowing users with roles as low as subscriber to delete arbitrary files on the server.

This vulnerability is the same as CVE-2023-5212 but was accidentally reintroduced in version 4.9.2.

Affects Plugins

Plugin icon
chatbot
Fixed in 4.9.3

References

CVE
CVE-2023-5647
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/chatbot/ai-chatbot-489-authenticated-subscriber-arbitrary-file-deletion-via-qcld-openai-delete-training-file

Classification

Type
FILE DELETION
OWASP top 10
A6: Security Misconfiguration
CWE
CWE-73
CVSS
9.6 (critical)

Miscellaneous

Original Researcher
Marco Wotschka, Chloe Chamberland
Verified
No
WPVDB ID
48c15a0b-2202-474d-bf4e-7096b9b0ad70

Timeline

Publicly Published
2023-10-19 (about 2 years ago)
Added
2023-10-24 (about 2 years ago)
Last Updated
2023-10-24 (about 2 years ago)

Other

Published
Title
Published
2022-08-03
Title
Download Manager < 3.2.51 - Contributor+ Arbitrary File Deletion
Published
2025-11-24
Title
AI Engine for WordPress: ChatGPT, GPT Content Generator <= 1.0.1 - Authenticated (Contributor+) Arbitrary File Read
Published
2020-10-07
Title
HyperComments <= 1.2.2 - Unauthenticated Arbitrary File Deletion
Published
2026-04-21
Title
HTTP Headers <= 1.19.2 - Authenticated (Administrator+) External Control of File Name or Path to RCE via 'hh_htpasswd_path' and 'hh_www_authenticate_user' Parameters
Published
2025-05-07
Title
Event Manager, Events Calendar, Tickets, Registrations – Eventin < 4.0.27 - Unauthenticated Arbitrary File Read