AI ChatBot < 4.5.5 - Admin+ Stored Cross-Site Scripting
Description
The AI ChatBot WordPress plugin before 4.5.5 does not sanitize and escape its settings, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in AI ChatBot WordPress plugin settings allows admin users to inject arbitrary scripts, even with unfiltered_html disabled.
Vulnerability
The AI ChatBot WordPress plugin prior to version 4.5.5 does not sanitize and escape its settings. This allows high-privilege users such as administrators to perform stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disallowed. [1]
Exploitation
An attacker with administrator access can inject malicious scripts into plugin settings. When these settings are rendered, the scripts execute in the context of other users accessing the admin pages. No user interaction beyond viewing the affected page is required. [1]
Impact
Successful exploitation leads to arbitrary script execution in the admin area, potentially allowing the attacker to steal cookies, modify pages, or perform other actions with the victim's privileges. [1]
Mitigation
Update to version 4.5.5, released on 2023-05-22, which fixes the vulnerability. [1] No workaround is mentioned.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <4.5.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- wpscan.com/vulnerability/f689442a-a851-4140-a10c-ac579f9da142mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.