Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
PR:L reflects required Contributor account; UI:R and S:C capture admin-context execution; A:N because XSS does not cause availability impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Contributor Cross Site Scripting (XSS) in Elizaibots <= 1.0.2 versions.
AnalysisAI
Stored Cross-Site Scripting in the Elizaibots WordPress chatbot plugin (versions <= 1.0.2) allows authenticated Contributor-level users to inject malicious scripts that execute in the browser context of higher-privileged users - including site administrators - when they visit affected pages. The CVSS scope-change indicator (S:C) confirms the payload escapes the contributor's privilege boundary and can compromise admin sessions, enabling privilege escalation or site takeover. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Technical ContextAI
Elizaibots is a WordPress chatbot plugin authored by the vendor 'liseperu', identified by CPE cpe:2.3:a:liseperu:elizaibots:*:*:*:*:*:*:*:*. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting), specifically a stored variant where Contributor-role users can persist unsanitized input through plugin-managed content fields. WordPress's Contributor role allows users to create content but not publish it, yet this vulnerability demonstrates that even pre-publication or plugin-specific input vectors can introduce XSS when insufficient output encoding or input sanitization is applied. The scope change in the CVSS vector (S:C) is consistent with how stored XSS crosses privilege boundaries: the attacker's injected payload executes in the victim's browser session, not the attacker's, enabling cross-context attacks such as session token theft or unauthorized administrative actions.
RemediationAI
A patched version beyond 1.0.2 should be applied; however, the exact fixed release version is not independently confirmed from the available data - consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/elizaibot-chatbots/vulnerability/wordpress-elizaibots-plugin-1-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve and the WordPress plugin repository for the latest release. If an update is unavailable or cannot be immediately applied, site administrators should restrict the Contributor role to only fully trusted users, removing any untrusted or externally registered accounts with that role, as this directly eliminates the required attack precondition. Additionally, deploying a Web Application Firewall (WAF) rule to detect and block common XSS payload patterns in plugin input fields can serve as a compensating control, though this may interfere with legitimate chatbot configuration. Disabling the Elizaibots plugin entirely until a verified patch is available is the most reliable short-term mitigation, with the trade-off of losing chatbot functionality.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210140
GHSA-27g9-69hr-cxh3