WordPress Plugin Vulnerabilities

AI Engine < 2.8.5 - Authenticated (Subscriber+) Stored Cross-Site Scripting via `mwai_chatbot` Shortcode `id` Parameter

Description

The AI Engine plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the mwai_chatbot shortcode 'id' parameter in all versions up to, and including, 2.8.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
ai-engine
Fixed in 2.8.5

References

CVE
CVE-2025-5570
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a32dcf96-ec75-46b1-8f1d-608411ad5147

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
mikemyers
Verified
No
WPVDB ID
d3b0a51a-6516-40d4-99c1-aa12c192c489

Timeline

Publicly Published
2025-07-07 (about 11 months ago)
Added
2025-07-07 (about 11 months ago)
Last Updated
2025-07-08 (about 11 months ago)

Other

Published
Title
Published
2026-03-04
Title
OoohBoi Steroids for Elementor < 2.1.25 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple URL Controls
Published
2021-10-25
Title
eCommerce Product Catalog for WordPress < 3.0.39 - Reflected Cross-Site Scripting
Published
2020-08-31
Title
Ceceppa Multilingua <= 1.5.17 - Authenticated Reflected Cross-Site Scripting
Published
2024-11-04
Title
Simple Modal <= 0.3.3 - Reflected Cross-Site Scripting
Published
2023-11-07
Title
Solid Central < 3.0.1 - Stored Cross-Site Scripting via packages