Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Network-reachable stored XSS injectable without authentication (PR:N) but firing only on victim page-load (UI:R), crossing into the browser context (S:C) with limited C/I/A impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QuantumCloud ChatBot chatbot allows Stored XSS.This issue affects ChatBot: from n/a through <= 8.3.7.
AnalysisAI
Stored cross-site scripting in the QuantumCloud ChatBot WordPress plugin (versions through 8.3.7) lets an attacker persist malicious script that executes in another user's browser when the affected page is viewed. The CVSS 3.1 vector (AV:N/PR:N/UI:R/S:C) indicates a network-reachable, unauthenticated injection point that requires a victim to load the poisoned content and crosses a privilege boundary into the rendering context. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the QuantumCloud ChatBot plugin (≤ 8.3.7) to be installed and active, and the attacker must be able to reach a chatbot input field or setting whose value is persisted and later rendered into a page. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are moderate and internally consistent rather than alarming. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits a chatbot message or configuration value containing a crafted script payload that the plugin stores without sanitizing. When a site administrator or another visitor later opens the page or conversation that renders this stored content, the script executes in their browser session, enabling session token theft, admin-panel actions, or content manipulation. … |
| Remediation | Upgrade the QuantumCloud ChatBot plugin to the first release published after 8.3.7 once the vendor makes it available; no vendor-released patched version is independently confirmed in the provided data, so monitor the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/chatbot/vulnerability/wordpress-chatbot-plugin-8-3-7-cross-site-scripting-xss-vulnerability) and the WordPress plugin changelog for the fixed build. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, audit all WordPress installations to identify which versions of QuantumCloud ChatBot plugin (8.3.7 and earlier) are deployed and assess which instances host sensitive or user-facing content. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
A blind SQL injection vulnerability exists in QuantumCloud ChatBot plugin affecting versions up to and including 7.7.9,
Cross-Site Request Forgery (CSRF) vulnerability in QuantumCloud AI ChatBot plugin <= 4.2.8 versions. Rated high severity
Reflected cross-site scripting in the QuantumCloud ChatBot WordPress plugin (versions 8.3.2 and earlier) lets unauthenti
Broken access control in the QuantumCloud ChatBot plugin for WordPress (versions <= 7.9.7) allows authenticated low-priv
The Chatbot for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versio
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43446