// For flags

CVE-2023-5241

AI ChatBot <= 4.8.9 and 4.9.2 - Authenticated (Subscriber+) Directory Traversal to Arbitrary File Write via qcld_openai_upload_pagetraining_file

Severity Score

8.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The AI ChatBot for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.8.9 as well as 4.9.2 via the qcld_openai_upload_pagetraining_file function. This allows subscriber-level attackers to append "<?php" to any existing file on the server resulting in potential DoS when appended to critical files such as wp-config.php.

AI ChatBot para WordPress es vulnerable a Directory Traversal en versiones hasta 4.8.9 y 4.9.2 incluida a través de la función qcld_openai_upload_pagetraining_file. Esto permite a atacantes a nivel de suscriptor agregar "

WordPress AI ChatBot plugin versions 4.8.9 and below suffer from arbitrary file deletion, remote SQL injection, and directory traversal vulnerabilities.

*Credits: Marco Wotschka
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2023-09-27 CVE Reserved
  • 2023-10-11 CVE Published
  • 2024-08-02 CVE Updated
  • 2024-12-17 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Quantumcloud
Search vendor "Quantumcloud"
Ai Chatbot
Search vendor "Quantumcloud" for product "Ai Chatbot"
< 4.9.1
Search vendor "Quantumcloud" for product "Ai Chatbot" and version " < 4.9.1"
wordpress
Affected
Quantumcloud
Search vendor "Quantumcloud"
Ai Chatbot
Search vendor "Quantumcloud" for product "Ai Chatbot"
4.9.2
Search vendor "Quantumcloud" for product "Ai Chatbot" and version "4.9.2"
wordpress
Affected