Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Network-reachable WordPress endpoint, low complexity, requires Subscriber auth (PR:L), no UI; missing authorization yields no confidentiality loss, low integrity tampering, and high availability impact on the plugin.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Broken Access Control in ChatBot <= 7.9.7 versions.
AnalysisAI
Broken access control in the QuantumCloud ChatBot plugin for WordPress (versions <= 7.9.7) allows authenticated low-privileged users (Subscriber role) to invoke restricted plugin functionality without proper authorization checks, leading to integrity tampering and availability disruption. Reported by Patchstack and tracked as EUVD-2026-36991, with no public exploit identified at time of analysis.
Technical ContextAI
The flaw resides in the QuantumCloud ChatBot WordPress plugin (cpe:2.3:a:quantumcloud:chatbot), a conversational chatbot extension typically installed on customer-facing WordPress sites. The root cause is CWE-862 (Missing Authorization): one or more plugin endpoints - usually exposed via WordPress AJAX actions (wp-admin/admin-ajax.php) or REST routes - fail to perform a capability check (current_user_can) before executing privileged operations. Because any authenticated WordPress user, including self-registered Subscribers on sites with open registration, can reach these endpoints, the missing authorization gate collapses the role separation the plugin should enforce.
RemediationAI
Patch available per vendor advisory - upgrade the ChatBot plugin to the version above 7.9.7 listed in the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/chatbot/vulnerability/wordpress-chatbot-plugin-7-9-7-broken-access-control-vulnerability) by updating through the WordPress plugin dashboard or via WP-CLI (wp plugin update chatbot). Until the upgrade is applied, compensating controls include disabling open user registration in WordPress Settings > General (trade-off: blocks legitimate self-signup flows on membership/e-commerce sites), restricting access to wp-admin/admin-ajax.php and any chatbot REST routes via a WAF rule that requires editor-or-above roles (trade-off: may break legitimate Subscriber AJAX features in other plugins), or temporarily deactivating the ChatBot plugin if its functionality is non-essential (trade-off: loss of chatbot feature for site visitors).
A blind SQL injection vulnerability exists in QuantumCloud ChatBot plugin affecting versions up to and including 7.7.9,
Cross-Site Request Forgery (CSRF) vulnerability in QuantumCloud AI ChatBot plugin <= 4.2.8 versions. Rated high severity
Stored cross-site scripting in the QuantumCloud ChatBot WordPress plugin (versions through 8.3.7) lets an attacker persi
Reflected cross-site scripting in the QuantumCloud ChatBot WordPress plugin (versions 8.3.2 and earlier) lets unauthenti
The Chatbot for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versio
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36991
GHSA-cw8r-c33f-4p9j