CVSS: 10.0EPSS: 44%CPEs: 1EXPL: 1CVE-2023-1650 – ChatBot < 4.4.7 - Unauthenticated PHP Object Injection
https://notcve.org/view.php?id=CVE-2023-1650
12 Apr 2023 — The AI ChatBot WordPress plugin before 4.4.7 unserializes user input from cookies via an AJAX action available to unauthenticated users, which could allow them to perform PHP Object Injection when a suitable gadget is present on the blog The ChatBot plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.4.6 via deserialization of untrusted input from cookies This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin.... • https://wpscan.com/vulnerability/7d7fe498-0aa3-4fa7-b560-610b42b2abed • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-1651 – ChatBot < 4.4.9 - Subscriber+ OpenAI Settings Update to Stored XSS
https://notcve.org/view.php?id=CVE-2023-1651
12 Apr 2023 — The AI ChatBot WordPress plugin before 4.4.9 does not have authorisation and CSRF in the AJAX action responsible to update the OpenAI settings, allowing any authenticated users, such as subscriber to update them. Furthermore, due to the lack of escaping of the settings, this could also lead to Stored XSS The ChatBot plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘openai_settings_option_callback’ function in versions up to, and including, 4.4.8 due to insufficient input sanitizatio... • https://wpscan.com/vulnerability/c88b22ba-4fc2-49ad-a457-224157521bad • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-1660 – ChatBot < 4.4.9 - Unauthenticated Stored XSS
https://notcve.org/view.php?id=CVE-2023-1660
12 Apr 2023 — The AI ChatBot WordPress plugin before 4.4.9 does not have authorisation and CSRF in a function hooked to init, allowing unauthenticated users to update some settings, leading to Stored XSS due to the lack of escaping when outputting them in the admin dashboard The ChatBot plugin for WordPress is vulnerable to Stored Cross-Site Scripting in the Admin Dashboard in versions up to, and including, 4.4.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attack... • https://wpscan.com/vulnerability/1a5cbcfc-fa55-433a-a76b-3881b6c4bea2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-24415 – WordPress AI ChatBot plugin <= 4.2.8 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-24415
27 Jan 2023 — Cross-Site Request Forgery (CSRF) vulnerability in QuantumCloud AI ChatBot plugin <= 4.2.8 versions. Vulnerabilidad Cross-Site Request Forgery (CSRF) en versiones 4.2.8 y anteriores del plugin QuantumCloud ChatBot ?. The ChatBot plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.2.8. This is due to missing or incorrect nonce validation on the 'qcld_wb_chatbot_save_options' function. This makes it possible for unauthenticated attackers to inject arbitrary web... • https://patchstack.com/database/vulnerability/chatbot/wordpress-chatbot-plugin-4-2-8-cross-site-request-forgery-csrf?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2022-47613 – WordPress AI ChatBot Plugin <= 4.3.0 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2022-47613
27 Jan 2023 — Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in QuantumCloud AI ChatBot plugin <= 4.3.0 versions. The ChatBot plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘qlcd_wp_chatbot_email_sub’ parameter in versions up to, and including, 4.3.0 due to insufficient input sanitization and output escaping. This makes it possible for administrator-level attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Auth. • https://patchstack.com/database/vulnerability/chatbot/wordpress-chatbot-plugin-4-3-0-multiple-cross-site-scripting-xss?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23981 – WordPress Conversational Forms for ChatBot Plugin <= 1.1.6 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-23981
20 Jan 2023 — Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in QuantumCloud Conversational Forms for ChatBot plugin <= 1.1.6 versions. The Conversational Forms for ChatBot for WordPress is vulnerable to Stored Cross-Site Scripting via a form name in versions up to, and including, 1.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrative-level permissions and above, to inject arbitrary web scripts in pages that will execute wh... • https://patchstack.com/database/vulnerability/conversational-forms/wordpress-conversational-forms-for-chatbot-plugin-1-1-6-cross-site-scripting-xss?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3074 – Slider Hero < 8.4.4 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-3074
05 Sep 2022 — The Slider Hero WordPress plugin before 8.4.4 does not escape the slider Name, which could allow high-privileged users to perform Cross-Site Scripting attacks. El plugin Slider Hero de WordPress versiones anteriores a 8.4.4, no escapa del nombre del slider, lo que podría permitir a usuarios con altos privilegios llevar a cabo ataques de tipo Cross-Site Scripting. The Slider Hero plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the slider title parameter in versions up to, and including,... • https://wpscan.com/vulnerability/90ebaedc-89df-413f-b22e-753d4dd5e1c3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 83%CPEs: 1EXPL: 1CVE-2022-0747 – Infographic Maker - iList < 4.3.8 - Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2022-0747
28 Feb 2022 — The Infographic Maker WordPress plugin before 4.3.8 does not validate and escape the post_id parameter before using it in a SQL statement via the qcld_upvote_action AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL Injection El plugin Infographic Maker de WordPress versiones anteriores a 4.3.8, no comprueba ni escapa del parámetro post_id antes de usarlo en una sentencia SQL por medio de la acción AJAX qcld_upvote_action (disponible para usuarios autentica... • https://plugins.trac.wordpress.org/changeset/2684336 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 77%CPEs: 1EXPL: 1CVE-2022-0760 – Simple Link Directory < 7.7.2 - Unauthenticated SQL injection
https://notcve.org/view.php?id=CVE-2022-0760
28 Feb 2022 — The Simple Link Directory WordPress plugin before 7.7.2 does not validate and escape the post_id parameter before using it in a SQL statement via the qcopd_upvote_action AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL Injection El plugin Simple Link Directory de WordPress versiones anteriores a 7.7.2 no comprueba ni escapa el parámetro post_id antes de usarlo en una sentencia SQL por medio de la acción AJAX qcopd_upvote_action (disponible para usuarios a... • https://plugins.trac.wordpress.org/changeset/2684915 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 2CVE-2021-24725 – Comment Link Remove and Other Comment Tools < 2.1.6 - Arbitrary Comment Deletion via CSRF
https://notcve.org/view.php?id=CVE-2021-24725
23 Aug 2021 — The Comment Link Remove and Other Comment Tools WordPress plugin before 2.1.6 does not have CSRF check in its 'Delete comments easily', which could allow attackers to make logged in admin delete arbitrary comments El plugin Comment Link Remove and Other Comment Tools de WordPress versiones anteriores a 2.1.6, no presenta una comprobación de tipo CSRF en su acción "Delete comments easily", lo que podría permitir a atacantes hacer que el administrador conectado elimine comentarios arbitrarios • https://wpscan.com/vulnerability/01483284-57f5-4ae9-b5f1-ae26b623571f • CWE-352: Cross-Site Request Forgery (CSRF) •