WordPress Plugin Vulnerabilities

AI ChatBot < 4.9.3 - Cross-Site Request Forgery (CSRF)

Description

The plugin does not protect some of its actions against CSRF attacks, allowing an unauthenticated attacker to perform actions on their behalf by tricking a logged in user to submit a crafted request.

This vulnerability is the same as CVE-2023-5534, but was reintroduced in version 4.9.2.

Affects Plugins

Plugin icon
chatbot
Fixed in 4.9.3

References

CVE
CVE-2023-5655
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/chatbot/ai-chatbot-489-cross-site-request-forgery-on-ajax-actions

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Marco Wotschka
Verified
No
WPVDB ID
9972e172-0052-469c-bac7-4dd4bab144f7

Timeline

Publicly Published
2023-10-19 (about 2 years ago)
Added
2023-10-24 (about 2 years ago)
Last Updated
2023-10-24 (about 2 years ago)

Other

Published
Title
Published
2024-12-12
Title
MDC Comment Toolbar <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-03-19
Title
Plugin Upgrade Time Out <= 1.0 - Stored XSS via CSRF
Published
2025-12-30
Title
WING WordPress Migrator < 2.0.0 - Cross-Site Request Forgery
Published
2021-06-14
Title
Vik Rent Car < 1.1.7 - CSRF to Stored XSS
Published
2024-12-11
Title
HQ Rental Software <= 1.5.29 - Cross-Site Request Forgery to Arbitrary Options Update