Introduction
WPBot is an easy to use, Native, No coding required, AI ChatBot plugin for WordPress websites. It can be powered by DialogFlow or OpenAI GPT-3 (ChatGPT). Own and Manage your ChatBot from the WordPress Dashboard.
CVE-2023-2811 The plugin does not adequately escape some settings, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Understanding
The AI ChatBot plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 4.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected
Software Type | Plugin |
---|---|
Software Slug | chatbot |
Patched? | Yes |
Remediation | Update to version 4.5.6, or a newer patched version |
Affected Version | <= 4.5.5 |
Patched Version | 4.5.6 |
Technical Details
System Installation/Setup
- Simply Activating the Plugin will start showing the ChatBot in the front end
- Go to WPBot menu to adjust settings
- Change All languages from the Language center area. You can use the ChatBot in any language
Vulnerability Analysis
In chatbot version <= 4.5.5, Data from qlcd_wp_chatbot_help_welcome
, qlcd_wp_chatbot_help_msg
, qlcd_wp_chatbot_reset
does not adequately escape, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks.
To prevent, Developer should use wp_kses_post
function to sanitizes content for allowed HTML tags for post content. This function makes sure that only the allowed HTML element names, attribute names, attribute values, and HTML entities will occur in the given text string.
1662c1662
< $help_welcome_options = maybe_unserialize(get_option('qlcd_wp_chatbot_help_welcome'));
---
> $help_welcome_options = maybe_unserialize(wp_kses_post(get_option('qlcd_wp_chatbot_help_welcome')));
1670c1670
< $help_msg_options = maybe_unserialize(get_option('qlcd_wp_chatbot_help_msg'));
---
> $help_msg_options = maybe_unserialize(wp_kses_post(get_option('qlcd_wp_chatbot_help_msg')));
1678c1678
< $reset_options = maybe_unserialize(get_option('qlcd_wp_chatbot_reset'));
---
> $reset_options = maybe_unserialize(wp_kses_post(get_option('qlcd_wp_chatbot_reset')));
Proof of Concept
https://drive.google.com/file/d/1v0DYplfmvusu7bmduy–9F5zE7JkYRvD/view