Skip to main content

WPBot Pro CVE-2025-60223

| EUVDEUVD-2025-210225 HIGH
Path Traversal (CWE-22)
2026-06-17 Patchstack
7.7
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
vuln.today AI
7.7 HIGH

Network-reachable AJAX endpoint, no special conditions, requires subscriber auth (PR:L), no UI; arbitrary file deletion crosses scope to the WordPress host with high availability impact only.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 17, 2026 - 12:44 vuln.today
CVE Published
Jun 17, 2026 - 09:50 cve.org
HIGH 7.7

DescriptionCVE.org

Subscriber Arbitrary File Deletion in WPBot Pro Wordpress Chatbot <= 13.6.5 versions.

AnalysisAI

Arbitrary file deletion in QuantumCloud WPBot Pro WordPress Chatbot plugin versions 13.6.5 and earlier allows authenticated subscriber-level users to delete arbitrary files on the WordPress host via a path traversal flaw. With no public exploit identified at time of analysis, the issue still carries elevated risk because exploitation requires only the lowest-privilege WordPress role, which is auto-grantable on sites that allow open registration. Deleting files such as wp-config.php can trigger the WordPress install routine and lead to full site takeover.

Technical ContextAI

The affected component is the WPBot Pro WordPress Chatbot plugin by QuantumCloud (cpe:2.3:a:quantumcloud:wpbot_pro_wordpress_chatbot), an AI chatbot plugin integrated into the WordPress admin and front-end via AJAX endpoints. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, aka Path Traversal): a user-controlled file path parameter is concatenated into a filesystem delete operation without canonicalization or restriction to a whitelisted directory, allowing traversal sequences such as '../' to escape the plugin's intended working directory. Because the deletion handler is exposed to authenticated users at the subscriber capability level, the lowest WordPress role can reach functionality that should be restricted to administrators.

RemediationAI

No vendor-released patch version is identified in the available data; site administrators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wpbot-pro/vulnerability/wordpress-wpbot-pro-wordpress-chatbot-plugin-13-6-5-arbitrary-file-deletion-vulnerability and upgrade WPBot Pro to the latest release beyond 13.6.5 as soon as a fixed version is published. Until a patched version is confirmed, deactivate and remove the WPBot Pro plugin (which disables the chatbot feature entirely), or, if the plugin must remain active, disable public user registration under Settings > General > Membership to remove the PR:L attack path, and audit existing subscriber accounts. As compensating controls, restrict access to the plugin's AJAX action endpoints via a WAF rule or mu-plugin filter on wp-admin/admin-ajax.php for the vulnerable action name (trade-off: may break chatbot functionality for logged-in visitors), and ensure the web server user lacks write/delete permissions on wp-config.php and core files where filesystem ACLs allow.

Share

CVE-2025-60223 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy