Description
Unauthenticated Cross Site Scripting (XSS) in ChatBot <= 8.3.2 versions.
Published: 2026-07-02
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WordPress ChatBot Plugin (versions 8.3.2 and earlier) contains an unauthenticated reflected cross‑site scripting flaw. An attacker can embed malicious script code within user‑controlled input that is subsequently echoed back to the web page. Successful injection allows the attacker to run arbitrary scripts in the browser of any visitor, potentially stealing session cookies, def malicious sites. The known vulnerability aligns with CWE‑79, signifying insufficient input validation.

Affected Systems

The affected product is QuantumCloud’s ChatBot plugin bundled with WordPress. Versions up to and including 8.3.2 are impacted. Administrators of sites that have installed these plugin versions should verify the exact installed version; any instance meeting the criteria is vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates a medium‑to‑high severity risk. Because the vulnerability is unauthenticated and requires only the delivery of a crafted payload, an attacker can exploit it remotely without prior access. EPSS data is unavailable, and the flaw is not listed in the CISA KEV catalog, yet its straightforward exploitation path and potential for widespread impact warrant immediate attention. The likely attack vector is inferred to be via a malicious link or form submission that a site visitor may click or submit, resulting in script execution in the visitor’s browser.

Generated by OpenCVE AI on July 3, 2026 at 13:30 UTC.

Remediation

Vendor Solution

Update the WordPress ChatBot Plugin to the latest available version (at least 8.3.3).


OpenCVE Recommended Actions

  • Update the WordPress ChatBot Plugin to version 8.3.3 or later.
  • Verify that input handling of the ChatBot plugin applies proper sanitization and output encoding.
  • Perform a site‑wide security scan for reflected XSS to confirm no other vulnerable inputs remain.

Generated by OpenCVE AI on July 3, 2026 at 13:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Quantumcloud
Quantumcloud chatbot
Wordpress
Wordpress wordpress
Vendors & Products Quantumcloud
Quantumcloud chatbot
Wordpress
Wordpress wordpress

Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in ChatBot <= 8.3.2 versions.
Title WordPress ChatBot plugin <= 8.3.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

Quantumcloud Chatbot
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T19:44:09.312Z

Reserved: 2026-06-24T12:45:46.645Z

Link: CVE-2026-57362

cve-icon Vulnrichment

Updated: 2026-07-02T19:44:04.686Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-03T13:45:04Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')