Critical severity9.6NVD Advisory· Published Oct 19, 2023· Updated Apr 8, 2026

CVE-2023-5212

Description

The AI ChatBot plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 4.8.9 as well as version 4.9.2. This makes it possible for authenticated attackers with subscriber privileges to delete arbitrary files on the server, which makes it possible to take over affected sites as well as others sharing the same hosting account. Version 4.9.1 originally addressed the issue, but it was reintroduced in 4.9.2 and fixed again in 4.9.3.

Affected products

Quantumcloud/Wpbot2 versions
cpe:2.3:a:quantumcloud:wpbot:*:*:*:*:*:wordpress:*:*+ 1 more
- cpe:2.3:a:quantumcloud:wpbot:*:*:*:*:*:wordpress:*:*range: <4.9.1
- cpe:2.3:a:quantumcloud:wpbot:4.9.2:*:*:*:*:wordpress:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/changesetnvdPatch
packetstormsecurity.com/files/175371/WordPress-AI-ChatBot-4.8.9-SQL-Injection-Traversal-File-Deletion.htmlnvdThird Party AdvisoryVDB Entry
www.wordfence.com/threat-intel/vulnerabilities/id/5b3f4ccb-fcc6-42ec-8e9e-03d69ae7acf2nvdThird Party Advisory
plugins.trac.wordpress.org/browser/chatbot/trunk/includes/openai/qcld-bot-openai.phpnvdProduct

News mentions

No linked articles in our index yet.

cvss	0.624
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000