Skip to main content

QuantumCloud ChatBot CVE-2026-57363

| EUVDEUVD-2026-43446 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-13 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Network-reachable stored XSS injectable without authentication (PR:N) but firing only on victim page-load (UI:R), crossing into the browser context (S:C) with limited C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 11:08 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QuantumCloud ChatBot chatbot allows Stored XSS.This issue affects ChatBot: from n/a through <= 8.3.7.

AnalysisAI

Stored cross-site scripting in the QuantumCloud ChatBot WordPress plugin (versions through 8.3.7) lets an attacker persist malicious script that executes in another user's browser when the affected page is viewed. The CVSS 3.1 vector (AV:N/PR:N/UI:R/S:C) indicates a network-reachable, unauthenticated injection point that requires a victim to load the poisoned content and crosses a privilege boundary into the rendering context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed chatbot input field
Delivery
Submit crafted stored XSS payload
Exploit
Payload persisted server-side
Execution
Victim loads affected page
Persist
Script executes in victim browser
Impact
Hijack session or perform actions as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires the QuantumCloud ChatBot plugin (≤ 8.3.7) to be installed and active, and the attacker must be able to reach a chatbot input field or setting whose value is persisted and later rendered into a page. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are moderate and internally consistent rather than alarming. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a chatbot message or configuration value containing a crafted script payload that the plugin stores without sanitizing. When a site administrator or another visitor later opens the page or conversation that renders this stored content, the script executes in their browser session, enabling session token theft, admin-panel actions, or content manipulation. …
Remediation Upgrade the QuantumCloud ChatBot plugin to the first release published after 8.3.7 once the vendor makes it available; no vendor-released patched version is independently confirmed in the provided data, so monitor the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/chatbot/vulnerability/wordpress-chatbot-plugin-8-3-7-cross-site-scripting-xss-vulnerability) and the WordPress plugin changelog for the fixed build. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, audit all WordPress installations to identify which versions of QuantumCloud ChatBot plugin (8.3.7 and earlier) are deployed and assess which instances host sensitive or user-facing content. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57363 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy