CVE-2026-40788

Vulnerability

The ChatBot plugin for WordPress versions up to and including 7.9.7 suffers from a broken access control vulnerability. The plugin fails to validate authorization, authentication, or nonce tokens in certain functions, enabling unprivileged users (e.g., subscribers) to execute actions intended for higher-privileged roles. [1]

Exploitation

An attacker with a subscriber-level account can exploit the missing access control by sending crafted HTTP requests to the vulnerable endpoints. No additional network access or user interaction is required beyond being able to interact with the WordPress site. The attacker can trigger functions that should be restricted to administrators or editors. [1]

Impact

Successful exploitation allows the attacker to perform higher-privileged actions, such as modifying plugin settings, accessing sensitive data, or potentially achieving full site compromise. The impact includes unauthorized information disclosure, data modification, and privilege escalation. [1]

Mitigation

The vulnerability is fixed in version 7.9.9. Users should update to 7.9.9 or later immediately. For those unable to update, Patchstack offers a mitigation rule that blocks attacks until the update is applied. No other workarounds are documented. The plugin is actively targeted in mass-exploit campaigns. [1]