CVE-2025-69388

Vulnerability

Overview

The Cliengo – Chatbot plugin for WordPress versions up to and including 3.0.4 suffers from a missing authorization vulnerability [1]. This is a broken access control issue where the plugin fails to properly verify permissions or nonce tokens in certain functions, allowing unauthenticated users to perform actions that should require higher privileges [1].

Exploitation

An attacker can exploit this vulnerability without any authentication by sending crafted requests to the affected plugin endpoints [1]. The lack of proper access control checks means the attacker does not need any special privileges or prior access to the target WordPress site. This type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1].

Impact

Successful exploitation could allow an attacker to perform unauthorized actions within the plugin's context, potentially leading to data exposure, configuration changes, or other unintended operations [1]. The CVSS v3 base score of 6.5 (Medium) reflects the moderate severity, though the ease of exploitation and potential for widespread attacks increases the practical risk [1].

Mitigation

The vulnerability has been addressed in version 3.0.5 of the plugin [1]. Users are strongly advised to update to this patched version immediately. For those unable to update, Patchstack has issued a mitigation rule to block attacks until the update can be applied [1].