Skip to main content

Elizaibots EUVDEUVD-2025-210140

| CVE-2025-15659 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 Patchstack GHSA-27g9-69hr-cxh3
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
5.4 MEDIUM

PR:L reflects required Contributor account; UI:R and S:C capture admin-context execution; A:N because XSS does not cause availability impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 16:35 vuln.today

DescriptionCVE.org

Contributor Cross Site Scripting (XSS) in Elizaibots <= 1.0.2 versions.

AnalysisAI

Stored Cross-Site Scripting in the Elizaibots WordPress chatbot plugin (versions <= 1.0.2) allows authenticated Contributor-level users to inject malicious scripts that execute in the browser context of higher-privileged users - including site administrators - when they visit affected pages. The CVSS scope-change indicator (S:C) confirms the payload escapes the contributor's privilege boundary and can compromise admin sessions, enabling privilege escalation or site takeover. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Technical ContextAI

Elizaibots is a WordPress chatbot plugin authored by the vendor 'liseperu', identified by CPE cpe:2.3:a:liseperu:elizaibots:*:*:*:*:*:*:*:*. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting), specifically a stored variant where Contributor-role users can persist unsanitized input through plugin-managed content fields. WordPress's Contributor role allows users to create content but not publish it, yet this vulnerability demonstrates that even pre-publication or plugin-specific input vectors can introduce XSS when insufficient output encoding or input sanitization is applied. The scope change in the CVSS vector (S:C) is consistent with how stored XSS crosses privilege boundaries: the attacker's injected payload executes in the victim's browser session, not the attacker's, enabling cross-context attacks such as session token theft or unauthorized administrative actions.

RemediationAI

A patched version beyond 1.0.2 should be applied; however, the exact fixed release version is not independently confirmed from the available data - consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/elizaibot-chatbots/vulnerability/wordpress-elizaibots-plugin-1-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve and the WordPress plugin repository for the latest release. If an update is unavailable or cannot be immediately applied, site administrators should restrict the Contributor role to only fully trusted users, removing any untrusted or externally registered accounts with that role, as this directly eliminates the required attack precondition. Additionally, deploying a Web Application Firewall (WAF) rule to detect and block common XSS payload patterns in plugin input fields can serve as a compensating control, though this may interfere with legitimate chatbot configuration. Disabling the Elizaibots plugin entirely until a verified patch is available is the most reliable short-term mitigation, with the trade-off of losing chatbot functionality.

Share

EUVD-2025-210140 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy