Platform
wordpress
Component
chatbot
Fixed in
4.9.3
4.9.2
CVE-2023-5241 is a critical directory traversal vulnerability affecting AI ChatBot for WordPress versions up to 4.9.1. This flaw allows authenticated subscribers to manipulate files on the server, potentially leading to denial-of-service (DoS) conditions. The vulnerability resides in the qcldopenaiuploadpagetrainingfile function and is addressed in version 4.9.3.
An attacker exploiting CVE-2023-5241 can leverage the directory traversal vulnerability to append malicious code, specifically "<?php", to existing files on the WordPress server. This is particularly dangerous when targeting critical files like wp-config.php. By injecting this code, an attacker can disrupt the WordPress installation, potentially leading to a complete denial of service. The ability to append code to core configuration files could also allow for further exploitation, although the immediate impact is primarily DoS. The vulnerability's ease of exploitation, combined with the potential for widespread impact, makes it a significant security concern.
CVE-2023-5241 was publicly disclosed on 2023-10-19. While no active exploitation campaigns have been definitively linked to this CVE, the ease of exploitation and the potential for DoS make it a likely target. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept code is likely to emerge given the vulnerability's nature.
Exploit Status
EPSS
2.45% (85% percentile)
CVSS Vector
The primary mitigation for CVE-2023-5241 is to immediately upgrade AI ChatBot for WordPress to version 4.9.3 or later. If upgrading is not immediately feasible, consider implementing a temporary workaround by restricting file upload permissions for subscriber-level users. Review server access logs for any suspicious file modification attempts. While a WAF might offer some protection, it's unlikely to be effective against this type of vulnerability without specific rules tailored to the qcldopenaiuploadpagetrainingfile function. After upgrading, verify the fix by attempting to upload a file with a malicious filename (e.g., ../../../../wp-config.php<?php) and confirming that the upload is rejected.
Update the AI ChatBot plugin to version 4.9.3 or higher. This version fixes the directory traversal vulnerability that allows attackers to append malicious PHP code to existing files.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2023-5241 is a critical vulnerability in AI ChatBot for WordPress allowing attackers to traverse directories and potentially manipulate files on the server.
You are affected if you are using AI ChatBot for WordPress versions 4.9.1 or earlier. Upgrade to 4.9.3 to resolve the issue.
Upgrade AI ChatBot for WordPress to version 4.9.3 or later. As a temporary workaround, restrict file upload permissions for subscriber-level users.
While no confirmed active exploitation campaigns have been reported, the vulnerability's ease of exploitation makes it a potential target.
Refer to the AI ChatBot official website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.