Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Network-reachable AJAX endpoint, no special conditions, requires subscriber auth (PR:L), no UI; arbitrary file deletion crosses scope to the WordPress host with high availability impact only.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
Subscriber Arbitrary File Deletion in WPBot Pro Wordpress Chatbot <= 13.6.5 versions.
AnalysisAI
Arbitrary file deletion in QuantumCloud WPBot Pro WordPress Chatbot plugin versions 13.6.5 and earlier allows authenticated subscriber-level users to delete arbitrary files on the WordPress host via a path traversal flaw. With no public exploit identified at time of analysis, the issue still carries elevated risk because exploitation requires only the lowest-privilege WordPress role, which is auto-grantable on sites that allow open registration. Deleting files such as wp-config.php can trigger the WordPress install routine and lead to full site takeover.
Technical ContextAI
The affected component is the WPBot Pro WordPress Chatbot plugin by QuantumCloud (cpe:2.3:a:quantumcloud:wpbot_pro_wordpress_chatbot), an AI chatbot plugin integrated into the WordPress admin and front-end via AJAX endpoints. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, aka Path Traversal): a user-controlled file path parameter is concatenated into a filesystem delete operation without canonicalization or restriction to a whitelisted directory, allowing traversal sequences such as '../' to escape the plugin's intended working directory. Because the deletion handler is exposed to authenticated users at the subscriber capability level, the lowest WordPress role can reach functionality that should be restricted to administrators.
RemediationAI
No vendor-released patch version is identified in the available data; site administrators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wpbot-pro/vulnerability/wordpress-wpbot-pro-wordpress-chatbot-plugin-13-6-5-arbitrary-file-deletion-vulnerability and upgrade WPBot Pro to the latest release beyond 13.6.5 as soon as a fixed version is published. Until a patched version is confirmed, deactivate and remove the WPBot Pro plugin (which disables the chatbot feature entirely), or, if the plugin must remain active, disable public user registration under Settings > General > Membership to remove the PR:L attack path, and audit existing subscriber accounts. As compensating controls, restrict access to the plugin's AJAX action endpoints via a WAF rule or mu-plugin filter on wp-admin/admin-ajax.php for the vulnerable action name (trade-off: may break chatbot functionality for logged-in visitors), and ensure the web server user lacks write/delete permissions on wp-config.php and core files where filesystem ACLs allow.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210225