Skip to main content

Chatbot EUVDEUVD-2026-15847

| CVE-2026-32499 CRITICAL
SQL Injection (CWE-89)
2026-03-25 Patchstack
9.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15847
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:15 nvd
CRITICAL 9.3

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in QuantumCloud ChatBot chatbot allows Blind SQL Injection.This issue affects ChatBot: from n/a through <= 7.7.9.

AnalysisAI

A blind SQL injection vulnerability exists in QuantumCloud ChatBot plugin affecting versions up to and including 7.7.9, allowing attackers to execute arbitrary SQL commands through improper neutralization of special elements in SQL queries. The vulnerability impacts all installations of the ChatBot plugin across the affected version range, potentially enabling unauthorized data extraction, manipulation, or deletion depending on database permissions. While no CVSS score or EPSS data is currently available, the blind SQL injection classification indicates a high-risk condition requiring immediate patching.

Technical ContextAI

The vulnerability resides in the QuantumCloud ChatBot application (CPE: cpe:2.3:a:quantumcloud:chatbot:*:*:*:*:*:*:*:*), a WordPress chatbot plugin that fails to properly sanitize or parameterize user-supplied input before incorporating it into SQL queries. This constitutes a CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) violation, specifically manifesting as blind SQL injection where the attacker cannot directly observe query results but can infer database contents through response timing, error messages, or boolean-based inference. The root cause is the absence of prepared statements, parameterized queries, or adequate input validation at the database abstraction layer, allowing metacharacters and SQL syntax to be interpreted as command delimiters rather than literal data.

RemediationAI

Immediately upgrade QuantumCloud ChatBot to a version newer than 7.7.9, as specified by the vendor security advisory at https://patchstack.com/database/Wordpress/Plugin/chatbot/vulnerability/wordpress-chatbot-plugin-7-7-9-sql-injection-vulnerability. If immediate patching is not possible, disable the ChatBot plugin entirely until a patched version is deployed, isolate the WordPress installation to restricted network access, implement database-level access controls limiting the WordPress database user to minimal required permissions, and monitor database query logs for evidence of exploitation attempts. Apply input validation rules at the WordPress plugin layer as a temporary additional control, but recognize this does not replace patching.

Share

EUVD-2026-15847 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy