EUVD-2026-13998
GHSA-28gh-r3vv-g85j
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3Description
The WP-Chatbot for Messenger plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the site's MobileMonkey API token and company ID options, which can be used to hijack chatbot configuration and redirect visitor conversations to an attacker-controlled MobileMonkey account.
Analysis
The WP-Chatbot for Messenger WordPress plugin versions up to 4.9 contains an authorization bypass vulnerability that allows unauthenticated attackers to overwrite critical chatbot configuration options, specifically the MobileMonkey API token and company ID. This enables attackers to hijack the site's chatbot functionality and redirect visitor conversations to attacker-controlled accounts without requiring any authentication or user interaction. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running for WordPress is vulnerable to authorization bypass in all and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today