Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Network-reachable endpoint, no auth or interaction required, scope unchanged; impact is record deletion only, so I:L and C:N/A:N.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The WPBot - AI ChatBot for Live Support, Lead Generation, AI Services plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 8.5.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to delete arbitrary chat session records from the wpbot_user and wpbot_conversation tables, including chat history and conversation logs, by supplying a crafted userid value.
AnalysisAI
Unauthorized deletion of chat session records in the WPBot WordPress plugin affects all versions through 8.5.6, allowing unauthenticated remote attackers to wipe arbitrary conversation history and user records by supplying a crafted userid parameter to unprotected endpoints. The root cause is a missing authorization check (CWE-862) in the chat sessions module, confirmed by Wordfence with source-level references to the vulnerable code in wpbot-chat-sessions.php. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No authentication is required and no special site configuration is needed - the vulnerability exists in the default installation of WPBot on any WordPress site running version 8.5.6 or earlier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) characterizes this as a low-complexity, unauthenticated network attack with limited integrity impact and no scope change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker enumerates a WordPress site running WPBot ≤8.5.6, then issues an unauthenticated HTTP request to the plugin's chat-session deletion endpoint with a fabricated or iterated userid value. Because no authorization check is performed, the server deletes the corresponding records from the wpbot_user and wpbot_conversation tables without any authentication. … |
| Remediation | Update the WPBot plugin to a version released after 8.5.6; a corrective changeset (revision 3608558 in the WordPress plugin repository) has been committed, but an exact patched release version is not independently confirmed from the available data - verify the latest available version in the WordPress plugin directory before upgrading. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Stored cross-site scripting in the WPBot AI ChatBot for WordPress (all versions through 8.4.9) lets unauthenticated atta
Authorization bypass in the WPBot AI ChatBot plugin for WordPress (all versions ≤ 8.5.6) permits any subscriber-level au
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44892
GHSA-w9hj-67x9-qq26