CVE-2026-3506 - Vulnerability Details

- WP-Chatbot for Messenger <= 4.9 - Missing Authorization to Unauthenticated Chatbot Configuration Takeover

Description

The WP-Chatbot for Messenger plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the site's MobileMonkey API token and company ID options, which can be used to hijack chatbot configuration and redirect visitor conversations to an attacker-controlled MobileMonkey account.

Published: 2026-03-21

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows an attacker who is not logged into the WordPress site to overwrite the MobileMonkey API token and company ID stored by the WP-Chatbot for Messenger plugin. By doing so, the attacker can hijack the chatbot configuration and redirect visitor conversations to a malicious MobileMonkey account. The flaw stems from the plugin failing to confirm that the requester has sufficient privileges before performing the token update, a classic authorization bypass as defined by CWE-862.

Affected Systems

All installations of WP-Chatbot for Messenger version 4.9 and earlier on WordPress sites are affected. The vendor responsible is Larry Kim. Sites that have not applied an update beyond version 4.9 are at risk; the specific configuration parameters that can be overwritten are the MobileMonkey API token and the company ID.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium risk level, and because the exploit requires no technical barriers beyond sending a crafted request, the vulnerability can be triggered by any unauthenticated user with network access to the site. Although no EPSS score is available, the lack of any requirement for privileged access means the likelihood of exploitation is uncertain but potentially high in environments where the plugin is exposed. The vulnerability has not been reported in the CISA KEV catalog, implying no public evidence of exploitation to date.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

larrykim

WP-Chatbot for Messenger

unaffected

Version	Status	Constraints
`0`	affected	≤ 4.9

No data.

Vendor Product Confidence Versions

Larrykim

Wp-chatbot For Messenger

100%

Version	Status	Scheme	Platform
`[0,*]`	affected	generic	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade WP-Chatbot for Messenger to the latest version (>=5.0 if available).
If an upgrade is not possible, restrict access to the plugin's admin URLs so that only authenticated users can reach them.
Revoke any potentially compromised MobileMonkey API tokens and regenerate new IDs.
Continuously monitor the site for unauthorized changes to the chatbot configuration.
Consult the vendor or the WordPress plugin repository for a formal fix or advisory.

Generated by OpenCVE AI on March 21, 2026 at 07:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00103.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/wp-chatbot/tags/4.9/admin/admin.php#L29
https://plugins.trac.wordpress.org/browser/wp-chatbot/tags/4.9/admin/class-htcc-admin.php#L29
https://plugins.trac.wordpress.org/browser/wp-chatbot/tags/4.9/inc/MobileMonkeyApi.php#L37
https://plugins.trac.wordpress.org/browser/wp-chatbot/tags/4.9/inc/MobileMonkeyApi.php#L409
https://plugins.trac.wordpress.org/browser/wp-chatbot/tags/4.9/inc/MobileMonkeyApi.php#L52
https://plugins.trac.wordpress.org/browser/wp-chatbot/tags/4.9/inc/class-ht-cc.php#L178
https://plugins.trac.wordpress.org/browser/wp-chatbot/trunk/inc/MobileMonkeyApi.php#L37
https://www.wordfence.com/threat-intel/vulnerabilities/id/32cce973-bc3b-45f1-ad4d-ff395d3a6c8e?source=cve

History

Mon, 23 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 23 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Larrykim Larrykim wp-chatbot For Messenger Wordpress Wordpress wordpress
Vendors & Products		Larrykim Larrykim wp-chatbot For Messenger Wordpress Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type	Values Removed	Values Added
Description		The WP-Chatbot for Messenger plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the site's MobileMonkey API token and company ID options, which can be used to hijack chatbot configuration and redirect visitor conversations to an attacker-controlled MobileMonkey account.
Title		WP-Chatbot for Messenger <= 4.9 - Missing Authorization to Unauthenticated Chatbot Configuration Takeover
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/wp-chatbot/tags/4.9/admin/admin.php#L29 https://plugins.trac.wordpress.org/browser/wp-chatbot/tags/4.9/admin/class-htcc-admin.php#L29 https://plugins.trac.wordpress.org/browser/wp-chatbot/tags/4.9/inc/MobileMonkeyApi.php#L37 https://plugins.trac.wordpress.org/browser/wp-chatbot/tags/4.9/inc/MobileMonkeyApi.php#L409 https://plugins.trac.wordpress.org/browser/wp-chatbot/tags/4.9/inc/MobileMonkeyApi.php#L52 https://plugins.trac.wordpress.org/browser/wp-chatbot/tags/4.9/inc/class-ht-cc.php#L178 https://plugins.trac.wordpress.org/browser/wp-chatbot/trunk/inc/MobileMonkeyApi.php#L37 https://www.wordfence.com/threat-intel/vulnerabilities/id/32cce973-bc3b-45f1-ad4d-ff395d3a6c8e?source=cve
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Larrykim Wp-chatbot For Messenger

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-03-21T03:26:39.802Z

Updated: 2026-04-08T16:45:25.004Z

Reserved: 2026-03-04T01:19:23.729Z

Link: CVE-2026-3506

Vulnrichment

Updated: 2026-03-23T18:05:20.554Z

NVD

Status : Deferred

Published: 2026-03-21T04:17:27.390

Modified: 2026-04-24T16:27:44.277

Link: CVE-2026-3506

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-25T14:42:25Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object