Kognetiks Chatbot for WordPress <= 2.1.7 - Reflected Cross-Site Scripting
Description
Reflected XSS in Kognetiks Chatbot for WordPress plugin via 'dir' parameter allows unauthenticated script injection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in Kognetiks Chatbot for WordPress plugin via 'dir' parameter allows unauthenticated script injection.
Vulnerability
The Kognetiks Chatbot for WordPress plugin versions up to and including 2.1.7 are vulnerable to reflected cross-site scripting (XSS) via the 'dir' parameter [1]. The vulnerability arises from insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts.
Exploitation
An attacker can craft a malicious URL containing a script payload in the 'dir' parameter and trick a user into clicking it. No authentication is required. The script executes in the victim's browser when the request is processed.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, defacement, phishing, or theft of sensitive information.
Mitigation
As of the latest plugin version (2.4.6) referenced, the fix status is not explicitly confirmed [1]. Users should update to the latest version if it addresses the issue, or apply input validation and output escaping. Alternatively, a web application firewall rule can block malicious 'dir' parameter values until a patched version is verified.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3<=2.1.7+ 1 more
- (no CPE)range: <=2.1.7
- (no CPE)range: 0
Patches
1r3183413Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.