The vulnerability is a subscriber broken access control flaw in the WordPress ChatBot plugin version 7.9.7 and earlier. It allows an attacker to gain unauthorized privilege level or execute privileged actions that should be restricted to properly authenticated or authorized users. Because the flaw lies in the plugin’s access checks, any compromised or malicious actor who can reach the plugin endpoints can potentially manipulate data, bypass restrictions, or perform other actions that compromise confidentiality, integrity, or availability of the WordPress site.

The affected system is the QuantumCloud ChatBot plugin for WordPress, versions up to and including 7.9.7. Sites that have installed these vulnerable versions are exposed, regardless of the user’s role, if the plugin APIs are accessible. The vulnerability applies to all WordPress installations that host the plugin without additional external access controls.

The CVSS score of 7.1 classifies the issue as a high-severity flaw. The EPSS score of less than 1% indicates a low likelihood of widespread exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the potential attack vector is straightforward: an attacker can issue HTTP requests to the plugin’s API endpoints from any location that can reach the WordPress instance, provided the request can bypass the broken access checks. No specialized exploitation chain is required beyond locating the vulnerable endpoint and sending a request crafted to trigger the privileged action. The outcome could be unauthorized data modification or escalation of privileges within the site.