CVE-2023-1651: ChatBot < 4.4.9 - Subscriber+ OpenAI Settings Update to Stored XSS
First published: Mon May 08 2023(Updated: )
The AI ChatBot WordPress plugin before 4.4.9 does not have authorisation and CSRF in the AJAX action responsible to update the OpenAI settings, allowing any authenticated users, such as subscriber to update them. Furthermore, due to the lack of escaping of the settings, this could also lead to Stored XSS
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Quantumcloud Ai Chatbot | <4.4.9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2023-1651?
CVE-2023-1651 is a vulnerability in the AI ChatBot WordPress plugin before version 4.4.9 that allows authenticated users to update the OpenAI settings without proper authorization and CSRF protection.
How severe is CVE-2023-1651?
CVE-2023-1651 has a severity score of 5.4, which is considered medium.
How does CVE-2023-1651 affect the AI ChatBot WordPress plugin?
CVE-2023-1651 affects the AI ChatBot WordPress plugin before version 4.4.9 by allowing authenticated users, such as subscribers, to update the OpenAI settings without proper authorization and CSRF protection.
What is the Common Weakness Enumeration (CWE) for CVE-2023-1651?
CVE-2023-1651 is associated with CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-352 (Cross-Site Request Forgery (CSRF)).
How can I fix CVE-2023-1651?
To fix CVE-2023-1651, update the AI ChatBot WordPress plugin to version 4.4.9 or newer.
- collector/nvd-latest
- collector/nvd-index
- agent/weakness
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/last-modified-date
- agent/title
- agent/references
- agent/severity
- agent/event
- agent/description
- agent/first-publish-date
- agent/tags
- agent/source
- vendor/quantumcloud
- canonical/quantumcloud ai chatbot