Skip to main content

WPBot ChatBot CVE-2026-15106

| EUVDEUVD-2026-44892 MEDIUM
Missing Authorization (CWE-862)
2026-07-16 Wordfence GHSA-w9hj-67x9-qq26
5.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

Network-reachable endpoint, no auth or interaction required, scope unchanged; impact is record deletion only, so I:L and C:N/A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 16, 2026 - 09:07 vuln.today
CVE Published
Jul 16, 2026 - 07:51 cve.org
MEDIUM 5.3

DescriptionCVE.org

The WPBot - AI ChatBot for Live Support, Lead Generation, AI Services plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 8.5.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to delete arbitrary chat session records from the wpbot_user and wpbot_conversation tables, including chat history and conversation logs, by supplying a crafted userid value.

AnalysisAI

Unauthorized deletion of chat session records in the WPBot WordPress plugin affects all versions through 8.5.6, allowing unauthenticated remote attackers to wipe arbitrary conversation history and user records by supplying a crafted userid parameter to unprotected endpoints. The root cause is a missing authorization check (CWE-862) in the chat sessions module, confirmed by Wordfence with source-level references to the vulnerable code in wpbot-chat-sessions.php. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site with WPBot ≤8.5.6 active
Delivery
Locate unprotected session deletion endpoint in wpbot-chat-sessions.php
Exploit
Craft HTTP request with arbitrary userid value
Execution
Submit unauthenticated deletion request
Impact
Chat session records wiped from database

Vulnerability AssessmentAI

Exploitation No authentication is required and no special site configuration is needed - the vulnerability exists in the default installation of WPBot on any WordPress site running version 8.5.6 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) characterizes this as a low-complexity, unauthenticated network attack with limited integrity impact and no scope change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker enumerates a WordPress site running WPBot ≤8.5.6, then issues an unauthenticated HTTP request to the plugin's chat-session deletion endpoint with a fabricated or iterated userid value. Because no authorization check is performed, the server deletes the corresponding records from the wpbot_user and wpbot_conversation tables without any authentication. …
Remediation Update the WPBot plugin to a version released after 8.5.6; a corrective changeset (revision 3608558 in the WordPress plugin repository) has been committed, but an exact patched release version is not independently confirmed from the available data - verify the latest available version in the WordPress plugin directory before upgrading. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15106 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy