CVE-2025-64277

The ChatBot plugin for WordPress (versions up to 7.3.9) suffers from a missing authorization vulnerability. This means that certain functions or endpoints lack proper access control checks, allowing users without appropriate privileges to perform actions that should be restricted. The root cause is incorrectly configured access control security levels [1].

The vulnerability can be exploited by unauthenticated attackers or low-privileged users who can send crafted requests to the plugin's endpoints. Since the plugin does not verify authorization, an attacker can bypass intended restrictions. This type of vulnerability is often used in mass-exploit campaigns targeting thousands of websites [1].

Successful exploitation could allow an attacker to perform unauthorized actions, such as modifying settings, accessing sensitive data, or executing other privileged operations depending on the missing authorization. The CVSS score is 5.3 (Medium), indicating moderate severity [1].

The vendor has released version 7.4.0 which addresses the issue. Users are strongly advised to update immediately. For those unable to update, consulting a hosting provider or web developer is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].