Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in QuantumCloud ChatBot chatbot allows Blind SQL Injection.This issue affects ChatBot: from n/a through <= 7.7.9.
AnalysisAI
A blind SQL injection vulnerability exists in QuantumCloud ChatBot plugin affecting versions up to and including 7.7.9, allowing attackers to execute arbitrary SQL commands through improper neutralization of special elements in SQL queries. The vulnerability impacts all installations of the ChatBot plugin across the affected version range, potentially enabling unauthorized data extraction, manipulation, or deletion depending on database permissions. While no CVSS score or EPSS data is currently available, the blind SQL injection classification indicates a high-risk condition requiring immediate patching.
Technical ContextAI
The vulnerability resides in the QuantumCloud ChatBot application (CPE: cpe:2.3:a:quantumcloud:chatbot:*:*:*:*:*:*:*:*), a WordPress chatbot plugin that fails to properly sanitize or parameterize user-supplied input before incorporating it into SQL queries. This constitutes a CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) violation, specifically manifesting as blind SQL injection where the attacker cannot directly observe query results but can infer database contents through response timing, error messages, or boolean-based inference. The root cause is the absence of prepared statements, parameterized queries, or adequate input validation at the database abstraction layer, allowing metacharacters and SQL syntax to be interpreted as command delimiters rather than literal data.
RemediationAI
Immediately upgrade QuantumCloud ChatBot to a version newer than 7.7.9, as specified by the vendor security advisory at https://patchstack.com/database/Wordpress/Plugin/chatbot/vulnerability/wordpress-chatbot-plugin-7-7-9-sql-injection-vulnerability. If immediate patching is not possible, disable the ChatBot plugin entirely until a patched version is deployed, isolate the WordPress installation to restricted network access, implement database-level access controls limiting the WordPress database user to minimal required permissions, and monitor database query logs for evidence of exploitation attempts. Apply input validation rules at the WordPress plugin layer as a temporary additional control, but recognize this does not replace patching.
Cross-Site Request Forgery (CSRF) vulnerability in QuantumCloud AI ChatBot plugin <= 4.2.8 versions. Rated high severity
Stored cross-site scripting in the QuantumCloud ChatBot WordPress plugin (versions through 8.3.7) lets an attacker persi
Reflected cross-site scripting in the QuantumCloud ChatBot WordPress plugin (versions 8.3.2 and earlier) lets unauthenti
Broken access control in the QuantumCloud ChatBot plugin for WordPress (versions <= 7.9.7) allows authenticated low-priv
The Chatbot for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versio
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15847