WordPress Kognetiks Chatbot for WordPress plugin <= 1.9.8 - Cross Site Scripting (XSS) vulnerability

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the Kognetiks Chatbot for WordPress plugin (chatbot-chatgpt) versions through 1.9.8 [1]. The plugin fails to properly neutralize user-supplied input during web page generation, allowing attackers to inject arbitrary JavaScript that is stored and later executed in the context of other users' browsers. The vulnerability affects all installations using the plugin up to and including version 1.9.8.

Exploitation

An attacker must have at least Contributor-level access to the WordPress site to exploit this vulnerability. By crafting a malicious payload in a plugin input field (e.g., chat settings or message content) that is not sanitized, the attacker can inject JavaScript code. When an administrator or other user views the affected page (such as the chat interface or admin panel), the stored script executes in their browser session. No additional user interaction beyond viewing the page is required.

Impact

Successful exploitation allows the attacker to perform actions on behalf of the victim, including session hijacking, defacement of the chat interface, redirection to malicious sites, or theft of sensitive information such as cookies or authentication tokens. The attack is persistent and can affect multiple users over time until the malicious input is removed.

Mitigation

The vulnerability is fixed in version 2.4.6 of the plugin [1]. Users should update to this version or later immediately. As of the publication date, no workaround is available; updating is the only reliable mitigation. The plugin is actively maintained, and users on older versions are strongly advised to upgrade.