ChatBot < 4.4.9 - Unauthenticated Stored XSS
Description
The AI ChatBot WordPress plugin before 4.4.9 does not have authorisation and CSRF in a function hooked to init, allowing unauthenticated users to update some settings, leading to Stored XSS due to the lack of escaping when outputting them in the admin dashboard
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated stored XSS in AI ChatBot WordPress plugin before 4.4.9 due to missing authorization and CSRF checks.
Vulnerability
The AI ChatBot WordPress plugin versions before 4.4.9 lack authorization and CSRF protection in a function hooked to the init action. This allows unauthenticated users to update certain plugin settings. Because the plugin does not escape these settings when outputting them in the admin dashboard, a stored cross-site scripting (XSS) vulnerability exists [1].
Exploitation
An unauthenticated attacker can craft a request to update plugin settings without a CSRF token. By injecting malicious JavaScript into a setting that is later displayed in the admin dashboard, the attacker can achieve stored XSS. No authentication or user interaction is required for the initial injection [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of an administrator's browser session. This can lead to session hijacking, defacement of the admin interface, or further compromise of the WordPress site [1].
Mitigation
The vulnerability is fixed in version 4.4.9 of the AI ChatBot plugin. Users should update to this version or later. No workarounds are documented in the available references [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: < 4.4.9
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- wpscan.com/vulnerability/1a5cbcfc-fa55-433a-a76b-3881b6c4bea2mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.