Chatbot < 4.7.8 - Admin+ Stored XSS in Language Settings

Vulnerability

The AI ChatBot WordPress plugin prior to version 4.7.8 does not sanitize and escape some of its settings, specifically in language configuration options. This allows stored cross-site scripting (XSS) when a high-privilege user (e.g., administrator) saves a malicious payload into the settings. The vulnerability is present even when the unfiltered_html capability is disallowed, such as in a multisite setup [1].

Exploitation

An attacker with admin-level access to the WordPress admin panel can craft a malicious payload (e.g., JavaScript code) and inject it into the affected language settings field. When the plugin subsequently renders this setting on a page, the stored payload executes in the context of any user viewing that page. No direct user interaction is required for the populating of the payload beyond the initial save [1].

Impact

Successful exploitation leads to stored cross-site scripting (stored XSS). An attacker can execute arbitrary JavaScript in the browsers of other users (including lower-privilege users or site visitors) who access pages that display the contaminated settings. This can result in session hijacking, unsanctioned actions on behalf of the victim, or other client-side attacks. The attack elevates the impact beyond a typical admin-level XSS because it persists for all subsequent visitors [1].

Mitigation

Update the AI ChatBot plugin to version 4.7.8 or later, which contains the fix. The vulnerability was publicly disclosed on 2023-08-08 and the fixed version was released on the same date [1]. If immediate updating is not possible, restrict admin-level access to trusted users only, as the attack requires admin privileges to inject the payload. No other workarounds are documented in the available references.