Description

WordPress Plugin AI ChatBot is prone to a directory traversal vulnerability because it fails to sufficiently verify user-supplied input. Exploiting this issue can allow an attacker to obtain sensitive information that could aid in further attacks. WordPress Plugin AI ChatBot versions up to, and including, 4.8.9 and version 4.9.2 are vulnerable.

Remediation

Update to plugin versions 4.9.1, 4.9.3 or latest

References

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/chatbot/ai-chatbot-489-authenticated-subscriber-directory-traversal-to-arbitrary-file-write-via-qcld-openai-upload-pagetraining-file

https://packetstormsecurity.com/files/175371/WordPress-AI-ChatBot-4.8.9-SQL-Injection-Traversal-File-Deletion.html

https://plugins.svn.wordpress.org/chatbot/trunk/readme.txt

Related Vulnerabilities

Osclass Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2012-0973)

SharePoint CVE-2023-29357 Vulnerability (CVE-2023-29357)

MediaWiki URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2019-19709)

OpenSSL Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability (CVE-2014-8176)

Apache HTTP Server CVE-2018-11763 Vulnerability (CVE-2018-11763)

Severity

High

Classification

CVE-2023-5241 CWE-22 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update Directory Traversal