CVE-2023-1651

Exploit

EPSS 0.14%
Veröffentlicht 08.05.2023 14:15:12
Zuletzt bearbeitet 12.05.2025 15:09:58
Quelle contact@wpscan.com
CVE-Watchlists
Login
Unerledigt
Login

ChatBot <= 4.4.8 - Authenticated (Subscriber+) Stored Cross-Site Scripting via openai_settings_option_callback

The AI ChatBot WordPress plugin before 4.4.9 does not have authorisation and CSRF in the AJAX action responsible to update the OpenAI settings, allowing any authenticated users, such as subscriber to update them. Furthermore, due to the lack of escaping of the settings, this could also lead to Stored XSS

Mögliche Gegenmaßnahme

AI ChatBot – WPBot for Live Support and Lead Generation: Update to version 4.4.9, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 3 CWE 0 Referenzen 5

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt AI ChatBot – WPBot for Live Support and Lead Generation

Version *-4.4.8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Quantumcloud ≫ Wpbot SwPlatformwordpress Version < 4.4.9

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.14%	0.332

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Es wurden noch keine Informationen zu CWE veröffentlicht.

https://wpscan.com/vulnerability/c88b22ba-4fc2-49ad-a457-224157521bad

Exploit

https://www.wordfence.com/threat-intel/vulnerabilities/id/d69cfed9-7369-40f3-b9a7-0cf2430e8eed

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-1651

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-1651

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-1651

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-1651