Impact
The WordPress ChatBot Plugin (versions 8.3.2 and earlier) contains an unauthenticated reflected cross‑site scripting flaw. An attacker can embed malicious script code within user‑controlled input that is subsequently echoed back to the web page. Successful injection allows the attacker to run arbitrary scripts in the browser of any visitor, potentially stealing session cookies, def malicious sites. The known vulnerability aligns with CWE‑79, signifying insufficient input validation.
Affected Systems
The affected product is QuantumCloud’s ChatBot plugin bundled with WordPress. Versions up to and including 8.3.2 are impacted. Administrators of sites that have installed these plugin versions should verify the exact installed version; any instance meeting the criteria is vulnerable.
Risk and Exploitability
The CVSS score of 7.1 indicates a medium‑to‑high severity risk. Because the vulnerability is unauthenticated and requires only the delivery of a crafted payload, an attacker can exploit it remotely without prior access. EPSS data is unavailable, and the flaw is not listed in the CISA KEV catalog, yet its straightforward exploitation path and potential for widespread impact warrant immediate attention. The likely attack vector is inferred to be via a malicious link or form submission that a site visitor may click or submit, resulting in script execution in the visitor’s browser.
OpenCVE Enrichment