Skip to main content

Wpbot Ai Chatbot For Live Support Lead Generation Ai Services

3 CVEs product

Monthly

CVE-2026-15610 MEDIUM This Month

Authorization bypass in the WPBot AI ChatBot plugin for WordPress (all versions ≤ 8.5.6) permits any subscriber-level authenticated user to invoke the plugin's RAG document re-embedding functionality without authorization, directly modifying the rag_documents database table and triggering calls to the site owner's paid AI APIs (OpenAI, Gemini, OpenRouter, or xAI). The root cause is a missing capability check in class-qcld-bot-rag.php, confirmed by Wordfence and traceable to specific code paths in qcld-wpwbot.php. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS 4.3 Medium score reflects constrained direct security impact - though financial harm from API credit exhaustion represents the primary real-world risk.

Authentication Bypass WordPress Wpbot Ai Chatbot For Live Support Lead Generation Ai Services
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-15106 MEDIUM This Month

Unauthorized deletion of chat session records in the WPBot WordPress plugin affects all versions through 8.5.6, allowing unauthenticated remote attackers to wipe arbitrary conversation history and user records by supplying a crafted userid parameter to unprotected endpoints. The root cause is a missing authorization check (CWE-862) in the chat sessions module, confirmed by Wordfence with source-level references to the vulnerable code in wpbot-chat-sessions.php. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS-assigned score of 5.3 Medium reflects the limited scope: data deletion with no confidentiality or availability impact on the service itself.

Authentication Bypass WordPress Wpbot Ai Chatbot For Live Support Lead Generation Ai Services
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-13731 HIGH POC This Week

Stored cross-site scripting in the WPBot AI ChatBot for WordPress (all versions through 8.4.9) lets unauthenticated attackers persist arbitrary JavaScript through the 'conversation' parameter, which later executes when the injected page is viewed - most notably by an administrator opening the chat-session reports in wp-admin. Because the AJAX nonce that guards the save endpoint is publicly emitted on every frontend page via wp_localize_script, any anonymous visitor can obtain it, so there is effectively no barrier to injection. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; risk stems from ease of exploitation rather than confirmed in-the-wild abuse.

WordPress XSS Wpbot Ai Chatbot For Live Support Lead Generation Ai Services
NVD
CVSS 3.1
7.2
EPSS
0.2%
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the WPBot AI ChatBot plugin for WordPress (all versions ≤ 8.5.6) permits any subscriber-level authenticated user to invoke the plugin's RAG document re-embedding functionality without authorization, directly modifying the rag_documents database table and triggering calls to the site owner's paid AI APIs (OpenAI, Gemini, OpenRouter, or xAI). The root cause is a missing capability check in class-qcld-bot-rag.php, confirmed by Wordfence and traceable to specific code paths in qcld-wpwbot.php. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS 4.3 Medium score reflects constrained direct security impact - though financial harm from API credit exhaustion represents the primary real-world risk.

Authentication Bypass WordPress Wpbot Ai Chatbot For Live Support Lead Generation Ai Services
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthorized deletion of chat session records in the WPBot WordPress plugin affects all versions through 8.5.6, allowing unauthenticated remote attackers to wipe arbitrary conversation history and user records by supplying a crafted userid parameter to unprotected endpoints. The root cause is a missing authorization check (CWE-862) in the chat sessions module, confirmed by Wordfence with source-level references to the vulnerable code in wpbot-chat-sessions.php. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS-assigned score of 5.3 Medium reflects the limited scope: data deletion with no confidentiality or availability impact on the service itself.

Authentication Bypass WordPress Wpbot Ai Chatbot For Live Support Lead Generation Ai Services
NVD
EPSS 0% CVSS 7.2
HIGH POC This Week

Stored cross-site scripting in the WPBot AI ChatBot for WordPress (all versions through 8.4.9) lets unauthenticated attackers persist arbitrary JavaScript through the 'conversation' parameter, which later executes when the injected page is viewed - most notably by an administrator opening the chat-session reports in wp-admin. Because the AJAX nonce that guards the save endpoint is publicly emitted on every frontend page via wp_localize_script, any anonymous visitor can obtain it, so there is effectively no barrier to injection. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; risk stems from ease of exploitation rather than confirmed in-the-wild abuse.

WordPress XSS Wpbot Ai Chatbot For Live Support Lead Generation Ai Services
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy