CVE-2025-12078 - Vulnerability Details

- ArtiBot Free Chat Bot for WebSites <= 1.1.7 - Reflected Cross-Site Scripting via PostMessage

Description

The ArtiBot Free Chat Bot for WebSites plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Published: 2025-11-18

Score: 6.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The ArtiBot Free Chat Bot for WebSites plugin for WordPress contains a reflected cross‑site scripting flaw that arises when untrusted input sent via the browser’s PostMessage API is not properly escaped. An unauthenticated attacker can embed arbitrary JavaScript in a page that is rendered for the user when the victim is tricked into visiting a specially crafted link. If executed, the script runs with the victim’s privileges and can steal session cookies, deface content, or perform other malicious actions on the site.

Affected Systems

All installations of the ArtiBot Free Chat Bot for WebSites plugin through version 1.1.7, including every WordPress site that has the plugin activated. Version information for the specific vulnerable releases is not provided in the advisory data, but the vulnerability applies to all releases up to and including 1.1.7.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity vulnerability. The EPSS score, being less than 1%, suggests that the probability of exploitation at any given time is low, and the vulnerability is not currently listed in the CISA KEV catalog. Because the flaw is exploitable by unauthenticated users and relies solely on user interaction—such as clicking a malicious link—the attack vector is indirect, but once successful it can compromise confidentiality and integrity of the affected site. The lack of input validation and output escaping in the plugin’s handling of PostMessage data is the root cause.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

artibot

ArtiBot Free Chat Bot for WebSites

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.1.7

No data.

Vendor	Product	Confidence	Versions
Artibot	Artibot	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the ArtiBot plugin to the latest version (at least 1.1.8) which removes the vulnerable PostMessage handling.
If an upgrade is not immediately possible, permanently disable or remove the plugin from the WordPress installation to eliminate the attack surface.
Implement a web application firewall or security plugin that blocks reflected XSS payloads and enforces input sanitization for PostMessage events.

Generated by OpenCVE AI on April 21, 2026 at 01:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00106.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://wordpress.org/plugins/artibot/
https://www.wordfence.com/threat-intel/vulnerabilities/id/efe48adb-af9f-45dc-b693-ae56dce1bfe2?source=cve

History

Wed, 19 Nov 2025 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Artibot Artibot artibot Wordpress Wordpress wordpress
Vendors & Products		Artibot Artibot artibot Wordpress Wordpress wordpress

Tue, 18 Nov 2025 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 18 Nov 2025 08:45:00 +0000

Type	Values Removed	Values Added
Description		The ArtiBot Free Chat Bot for WebSites plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title		ArtiBot Free Chat Bot for WebSites <= 1.1.7 - Reflected Cross-Site Scripting via PostMessage
Weaknesses		CWE-79
References		https://wordpress.org/plugins/artibot/ https://www.wordfence.com/threat-intel/vulnerabilities/id/efe48adb-af9f-45dc-b693-ae56dce1bfe2?source=cve
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}`

Subscriptions

Artibot Artibot

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-11-18T08:27:37.836Z

Updated: 2026-04-08T17:32:07.422Z

Reserved: 2025-10-22T15:13:39.320Z

Link: CVE-2025-12078

Vulnrichment

Updated: 2025-11-18T21:07:58.008Z

NVD

Status : Deferred

Published: 2025-11-18T09:15:47.530

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12078

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T01:45:24Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object