Lucene search

[email protected]NVD:CVE-2023-1651

HistoryMay 08, 2023 - 2:15 p.m.

CVE-2023-1651

2023-05-0814:15:12

[email protected]

web.nvd.nist.gov

wordpress

plugin

authorization

csrf

ajax

openai

settings

authentication

stored xss

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

23.5%

JSON

The AI ChatBot WordPress plugin before 4.4.9 does not have authorisation and CSRF in the AJAX action responsible to update the OpenAI settings, allowing any authenticated users, such as subscriber to update them. Furthermore, due to the lack of escaping of the settings, this could also lead to Stored XSS

Affected configurations

Nvd

Node

quantumcloudai_chatbotRange<4.4.9wordpress

VendorProductVersionCPE
quantumcloudai_chatbot*cpe:2.3:a:quantumcloud:ai_chatbot:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
quantumcloud	ai_chatbot	*	cpe:2.3:a:quantumcloud:ai_chatbot::::::wordpress::*

References

wpscan.com/vulnerability/c88b22ba-4fc2-49ad-a457-224157521bad