CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5254 – AI ChatBot <= 4.8.9 - Unauthenticated Sensitive Information Exposure via qcld_wb_chatbot_check_user
https://notcve.org/view.php?id=CVE-2023-5254
The ChatBot plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.8.9 via the qcld_wb_chatbot_check_user function. This can allow unauthenticated attackers to extract sensitive data including confirmation as to whether a user name exists on the site as well as order information for existing users. El complemento ChatBot para WordPress es vulnerable a la exposición de información confidencial en versiones hasta la 4.8.9 incluida a través de la función qcld_wb_chatbot_check_user. Esto puede permitir a atacantes no autenticados extraer datos confidenciales, incluida la confirmación de si existe un nombre de usuario en el sitio, así como información de pedidos para los usuarios existentes. • https://plugins.trac.wordpress.org/browser/chatbot/trunk/functions.php#L1224 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2977505%40chatbot%2Ftrunk&old=2967435%40chatbot%2Ftrunk&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/d897daf8-5320-4546-9a63-1d34a15b2a58?source=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-5533 – AI ChatBot <= 4.8.9 and 4.9.2 - Missing Authorization on AJAX actions
https://notcve.org/view.php?id=CVE-2023-5533
The AI ChatBot plugin for WordPress is vulnerable to unauthorized use of AJAX actions due to missing capability checks on the corresponding functions in versions up to, and including, 4.8.9 as well as 4.9.2. This makes it possible for unauthenticated attackers to perform some of those actions that were intended for higher privileged users. El complemento AI ChatBot para WordPress es vulnerable al uso no autorizado de acciones AJAX debido a la falta de comprobaciones de capacidad en las funciones correspondientes en versiones hasta la 4.8.9 y la 4.9.2 incluida. Esto hace posible que atacantes no autenticados realicen algunas de aquellas acciones destinadas a usuarios con mayores privilegios. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2977505%40chatbot%2Ftrunk&old=2967435%40chatbot%2Ftrunk&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/a9db002f-ff41-493a-87b1-5f0b4b07cfc2?source=cve • CWE-862: Missing Authorization •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2023-5534 – AI ChatBot <= 4.8.9 and 4.9.2 - Cross-Site Request Forgery on AJAX actions
https://notcve.org/view.php?id=CVE-2023-5534
The AI ChatBot plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.8.9 and 4.9.2. This is due to missing or incorrect nonce validation on the corresponding functions. This makes it possible for unauthenticated attackers to invoke those functions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. El complemento AI ChatBot para WordPress es vulnerable a Cross-Site Request Forgery en versiones hasta la 4.8.9 y 4.9.2 incluida. Esto se debe a una validación nonce faltante o incorrecta en las funciones correspondientes. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2977505%40chatbot%2Ftrunk&old=2967435%40chatbot%2Ftrunk&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/846bd929-45cd-4e91-b232-ae16dd2b12a0?source=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-44993 – WordPress ChatBot Plugin <= 4.7.8 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-44993
Cross-Site Request Forgery (CSRF) vulnerability in QuantumCloud AI ChatBot plugin <= 4.7.8 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento QuantumCloud AI ChatBot en versiones <= 4.7.8. The ChatBot plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.7.8. This is due to missing or incorrect nonce validation on the qc_wp_latest_update_check function. This makes it possible for unauthenticated attackers to invoke this function via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/chatbot/wordpress-ai-chatbot-plugin-4-7-8-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-4253 – Chatbot < 4.7.8 - Admin+ Stored XSS in FAQ Builder
https://notcve.org/view.php?id=CVE-2023-4253
The AI ChatBot WordPress plugin before 4.7.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) El plugin AI ChatBot para WordPress anterior a la versión 4.7.8 no sanitiza ni escapa alguno de sus ajustes, lo que podría permitir a usuarios con privilegios elevados, como el administrador, realizar ataques de Cross-Site Scripting (XSS) almacenado incluso cuando la función "unfiltered_html" no está permitida (por ejemplo, en una configuración multisitio). The ChatBot for WordPress is vulnerable to Stored Cross-Site Scripting via the FAQ Builder in versions up to, and including, 4.7.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://wpscan.com/vulnerability/1cbbab9e-be3d-4081-bc0e-c52d500d9871 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •