Chatbot < 4.7.8 - Admin+ Stored XSS in FAQ Builder

Vulnerability

The AI ChatBot WordPress plugin before version 4.7.8 does not sanitize and escape some of its settings. This allows high privilege users (admin) to inject arbitrary JavaScript into the plugin's settings, which are stored in the database. The vulnerability exists in the FAQ builder or similar settings. Affected versions: all prior to 4.7.8.

Exploitation

An attacker with admin-level access to the WordPress site can navigate to the plugin settings and inject malicious JavaScript into unsanitized fields. The injected script will be stored and executed when any user views the FAQ settings page or wherever the settings output is displayed.

Impact

Successful exploitation leads to Stored Cross-Site Scripting (XSS). The attacker can execute arbitrary JavaScript in the context of the victim's browser when they access the affected page. This can result in cookie theft, session hijacking, or other malicious actions. Even if the site disallows unfiltered_html (e.g., multisite), the attack is still possible because the plugin failed to sanitize the settings.

Mitigation

The vulnerability is fixed in version 4.7.8 of the AI ChatBot plugin. Sites running an older version should update to 4.7.8 or later. No workaround is provided in the reference [1].