CVE-2025-11576 - Vulnerability Details

- AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant <= 1.6.5 - Unauthenticated CSV Injection

Description

The AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.6.5. This is due to insufficient sanitization in the 'newcodebyte_chatbot_export_messages' function. This makes it possible for unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

Published: 2025-10-24

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an unauthenticated CSV injection flaw in the export function of the AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant plugin. The flaw allows an attacker to inject untrusted input into exported CSV files, which may be interpreted by spreadsheet software as executable formulas. This could lead to remote code execution on a client machine that opens the file. The weakness is categorized as CWE‑1236, insufficient sanitization of user-controlled data.

Affected Systems

Affected systems are WordPress sites running the AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant plugin version 1.6.5 or earlier. No specific patch version is listed in the data.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity. The EPSS score of less than 1% suggests a very low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is likely through the public export endpoint, allowing any unauthenticated user to trigger the CSV generation and embed malicious payloads.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

newcodebyte

AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.6.5

No data.

Vendor	Product	Confidence	Versions
Newcodebyte	Ai Chatbot Free Models	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the plugin to the latest version once a fix is available
Remove or restrict the CSV export feature for public users, making it available only to trusted administrators
Implement or configure server‑side sanitization to strip leading '=', '+', '-', or '@' characters from exported data

Generated by OpenCVE AI on April 22, 2026 at 12:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00128.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/changeset/3378450/
https://www.wordfence.com/threat-intel/vulnerabilities/id/5064873b-e70a-4fe6-8c5c-ced6025aaa5f?source=cve

History

Mon, 27 Oct 2025 22:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Newcodebyte Newcodebyte ai Chatbot Free Models Wordpress Wordpress wordpress
Vendors & Products		Newcodebyte Newcodebyte ai Chatbot Free Models Wordpress Wordpress wordpress

Fri, 24 Oct 2025 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 24 Oct 2025 12:45:00 +0000

Type	Values Removed	Values Added
Description		The AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.6.5. This is due to insufficient sanitization in the 'newcodebyte_chatbot_export_messages' function. This makes it possible for unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
Title		AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant <= 1.6.5 - Unauthenticated CSV Injection
Weaknesses		CWE-1236
References		https://plugins.trac.wordpress.org/changeset/3378450/ https://www.wordfence.com/threat-intel/vulnerabilities/id/5064873b-e70a-4fe6-8c5c-ced6025aaa5f?source=cve
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}`

Subscriptions

Newcodebyte Ai Chatbot Free Models

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-10-24T12:29:56.573Z

Updated: 2026-04-08T16:52:18.410Z

Reserved: 2025-10-09T23:55:23.529Z

Link: CVE-2025-11576

Vulnrichment

Updated: 2025-10-24T12:48:27.529Z

NVD

Status : Deferred

Published: 2025-10-24T13:15:46.203

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11576

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T12:45:17Z

Weaknesses

CWE-1236

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object