Home CVE-2023-2811: AI ChatBot <= 4.5.5 - Authenticated (Administrator+) Stored Cross-Site Scripting
Post
Cancel

CVE-2023-2811: AI ChatBot <= 4.5.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

Posted May 30, 2023 Updated Oct 2, 2023
Preview Image
By tusnj
1 min read

Introduction

WPBot is an easy to use, Native, No coding required, AI ChatBot plugin for WordPress websites. It can be powered by DialogFlow or OpenAI GPT-3 (ChatGPT). Own and Manage your ChatBot from the WordPress Dashboard.

CVE-2023-2811 The plugin does not adequately escape some settings, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Understanding

The AI ChatBot plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 4.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affected

Software TypePlugin
Software Slugchatbot
Patched?Yes
RemediationUpdate to version 4.5.6, or a newer patched version
Affected Version<= 4.5.5
Patched Version4.5.6

Technical Details

System Installation/Setup

  1. Simply Activating the Plugin will start showing the ChatBot in the front end
  2. Go to WPBot menu to adjust settings
  3. Change All languages from the Language center area. You can use the ChatBot in any language

Vulnerability Analysis

In chatbot version <= 4.5.5, Data from qlcd_wp_chatbot_help_welcome, qlcd_wp_chatbot_help_msg, qlcd_wp_chatbot_reset does not adequately escape, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks.

To prevent, Developer should use wp_kses_post function to sanitizes content for allowed HTML tags for post content. This function makes sure that only the allowed HTML element names, attribute names, attribute values, and HTML entities will occur in the given text string.

1662c1662
< $help_welcome_options = maybe_unserialize(get_option('qlcd_wp_chatbot_help_welcome'));
---
> $help_welcome_options = maybe_unserialize(wp_kses_post(get_option('qlcd_wp_chatbot_help_welcome')));
1670c1670
< $help_msg_options = maybe_unserialize(get_option('qlcd_wp_chatbot_help_msg'));
---
> $help_msg_options = maybe_unserialize(wp_kses_post(get_option('qlcd_wp_chatbot_help_msg')));
1678c1678
< $reset_options = maybe_unserialize(get_option('qlcd_wp_chatbot_reset'));
---
> $reset_options = maybe_unserialize(wp_kses_post(get_option('qlcd_wp_chatbot_reset')));

Proof of Concept

https://drive.google.com/file/d/1v0DYplfmvusu7bmduy–9F5zE7JkYRvD/view

CVE Submit

CVE Reference

https://www.cve.org/CVERecord?id=CVE-2023-2811

Blog, CVE
CVE
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents