WordPress Plugin Vulnerabilities

ChatBot < 4.2.9 - Unauthenticated Settings Reset

Description

The plugin does not have authorisation and CSRF checks when reseting its settings via an AJAX action available to unauthenticated users, which could allow unauthenticated attackers to reset the plugin's settings

Proof of Concept

Affects Plugins

Plugin icon
chatbot
Fixed in 4.2.9

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Verified
Yes
WPVDB ID
f9cd4bfb-6c80-40a3-b973-077142e41aef

Timeline

Publicly Published
2023-01-09 (about 3 years ago)
Added
2023-02-23 (about 3 years ago)
Last Updated
2023-02-23 (about 3 years ago)

Other

Published
Title
Published
2024-02-01
Title
Orbit Fox by ThemeIsle < 2.10.29 - Unauthenticated Connected API Keys Update
Published
2025-05-06
Title
Search Exclude < 2.5.0 - Missing Authorization to Unauthenticated Plugin Settings Modification
Published
2023-06-08
Title
WP-Members Membership < 3.4.8 - Subscriber+ Unauthorized Plugin Settings Update
Published
2025-10-25
Title
FileBird Pro < 6.5.2 - Missing Authorization
Published
2026-01-27
Title
Gauge <= 6.56.4 - Missing Authorization