EUVD-2026-31064
GHSA-8cp2-f533-qp29
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'X-Forwarded-For' header in versions up to, and including, 1.4.14 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: Practical exploitation is constrained due to a 20-character storage limit.
AnalysisAI
Stored Cross-Site Scripting in the AI Chatbot & Workflow Automation by AIWU WordPress plugin (versions ≤1.4.14) allows injection of arbitrary web scripts via the unsanitized X-Forwarded-For HTTP request header. The injected payload persists server-side and executes in the browser of any user who accesses an affected page, enabling session hijacking, credential theft, or malicious redirects. …
Sign in for full analysis, threat intelligence, and remediation guidance.
More from same product – last 7 days
Unauthenticated refund abuse in the Eupago Gateway for WooCommerce WordPress plugin before 4.7.2 lets remote attackers t
Authentication bypass in the Login with OTP plugin for WordPress (all versions up to and including 1.6) lets unauthentic
Unauthenticated privilege escalation in the Advanced Custom Fields: Extended (ACFE) WordPress plugin through version 0.9
Blind SQL injection in the RealMag777 'Active Products Tables for WooCommerce' WordPress plugin (versions up to and incl
Blind SQL injection in the RealMag777 "Active Products Tables for WooCommerce" WordPress plugin (all versions up to and
Share
External POC / Exploit Code
Leaving vuln.today