CVE-2025-3812 - Vulnerability Details

- WPBot Pro Wordpress Chatbot <= 13.6.2 - Authenticated (Subscriber+) Arbitrary File Deletion

Description

The WPBot Pro Wordpress Chatbot plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the qcld_openai_delete_training_file() function in all versions up to, and including, 13.6.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Published: 2025-05-17

Score: 8.1 High

EPSS: 2.2% Low

KEV: No

Impact:

Action:

Analysis

Impact

The WPBot Pro Wordpress Chatbot plugin contains a path validation flaw in the qcld_openai_delete_training_file() function that allows an authenticated user with Subscriber-level access or higher to delete any file on the server. This enables an attacker to remove critical configuration files such as wp-config.php, which can immediately result in remote code execution and full compromise of the WordPress installation. The weakness is a classic CWE-73 "Path Traversal" defect.

Affected Systems

WPBot Pro Wordpress Chatbot, produced by QuantumCloud, is vulnerable in all releases up to and including version 13.6.2. Any WordPress site that has an affected instance of this plugin installed is at risk.

Risk and Exploitability

The vulnerability has a CVSS score of 8.1, indicating high severity. The EPSS score of 2% suggests a low but non‑negligible probability of exploitation in the near term. It is not listed in the CISA KEV catalog, so there are no known publicly documented exploits, but internal attackers or users with legitimate Subscriber access still pose a significant threat. The attack requires valid authentication within the WordPress site, so mitigating the path to user authentication and hardening file permissions are key to reducing risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

QuantumCloud

WPBot Pro Wordpress Chatbot

unaffected

Version	Status	Constraints
`0`	affected	≤ 13.6.2

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update WPBot Pro to version 13.6.3 or later, which removes the insecure file deletion code
Restrict file permissions on the WordPress installation so that the web server user cannot delete configuration files such as wp-config.php
Audit Subscriber and higher role accounts for unusual file operations and enforce the principle of least privilege on user roles

Generated by OpenCVE AI on April 21, 2026 at 20:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-15565	The WPBot Pro Wordpress Chatbot plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the qcld_openai_delete_training_file() function in all versions up to, and including, 13.6.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.02178.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://www.wordfence.com/threat-intel/vulnerabilities/id/8fe1609d-17d6-4afe-90b2-5473dc9b6c3b?source=cve
https://www.wpbot.pro/

History

Mon, 19 May 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sat, 17 May 2025 05:45:00 +0000

Type	Values Removed	Values Added
Description		The WPBot Pro Wordpress Chatbot plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the qcld_openai_delete_training_file() function in all versions up to, and including, 13.6.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Title		WPBot Pro Wordpress Chatbot <= 13.6.2 - Authenticated (Subscriber+) Arbitrary File Deletion
Weaknesses		CWE-73
References		https://www.wordfence.com/threat-intel/vulnerabilities/id/8fe1609d-17d6-4afe-90b2-5473dc9b6c3b?source=cve https://www.wpbot.pro/
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-05-17T05:30:34.394Z

Updated: 2026-04-08T17:06:38.908Z

Reserved: 2025-04-18T18:25:34.025Z

Link: CVE-2025-3812

Vulnrichment

Updated: 2025-05-19T15:40:03.801Z

NVD

Status : Deferred

Published: 2025-05-17T06:15:18.660

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-3812

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T21:00:35Z

Weaknesses

CWE-73

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object