Platform
wordpress
Component
chatbot
Opgelost in
4.9.3
4.9.2
CVE-2023-5241 is a critical directory traversal vulnerability affecting AI ChatBot for WordPress versions up to 4.9.1. This flaw allows authenticated subscribers to manipulate files on the server, potentially leading to denial-of-service (DoS) conditions. The vulnerability resides in the qcldopenaiuploadpagetrainingfile function and is addressed in version 4.9.3.
An attacker exploiting CVE-2023-5241 can leverage the directory traversal vulnerability to append malicious code, specifically "<?php", to existing files on the WordPress server. This is particularly dangerous when targeting critical files like wp-config.php. By injecting this code, an attacker can disrupt the WordPress installation, potentially leading to a complete denial of service. The ability to append code to core configuration files could also allow for further exploitation, although the immediate impact is primarily DoS. The vulnerability's ease of exploitation, combined with the potential for widespread impact, makes it a significant security concern.
CVE-2023-5241 was publicly disclosed on 2023-10-19. While no active exploitation campaigns have been definitively linked to this CVE, the ease of exploitation and the potential for DoS make it a likely target. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept code is likely to emerge given the vulnerability's nature.
Websites utilizing AI ChatBot for WordPress, particularly those with subscriber-level users who have file upload privileges, are at significant risk. Shared hosting environments where users have limited control over file permissions are especially vulnerable. WordPress installations with outdated versions of AI ChatBot are also at high risk.
• wordpress / composer / npm:
grep -r "qcld_openai_upload_pagetraining_file" /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list | grep ai-chatbot• wordpress / composer / npm:
wp plugin update ai-chatbot• generic web:
Review WordPress access logs for unusual file upload attempts, particularly those involving path traversal sequences (e.g., ../).
disclosure
patch
Exploit Status
EPSS
2.45% (85% percentiel)
CVSS-vector
The primary mitigation for CVE-2023-5241 is to immediately upgrade AI ChatBot for WordPress to version 4.9.3 or later. If upgrading is not immediately feasible, consider implementing a temporary workaround by restricting file upload permissions for subscriber-level users. Review server access logs for any suspicious file modification attempts. While a WAF might offer some protection, it's unlikely to be effective against this type of vulnerability without specific rules tailored to the qcldopenaiuploadpagetrainingfile function. After upgrading, verify the fix by attempting to upload a file with a malicious filename (e.g., ../../../../wp-config.php<?php) and confirming that the upload is rejected.
Werk de AI ChatBot plugin bij naar versie 4.9.3 of hoger. Deze versie corrigeert de Directory Traversal kwetsbaarheid die het aanvallers mogelijk maakt om kwaadaardige PHP-code aan bestaande bestanden toe te voegen.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2023-5241 is a critical vulnerability in AI ChatBot for WordPress allowing attackers to traverse directories and potentially manipulate files on the server.
You are affected if you are using AI ChatBot for WordPress versions 4.9.1 or earlier. Upgrade to 4.9.3 to resolve the issue.
Upgrade AI ChatBot for WordPress to version 4.9.3 or later. As a temporary workaround, restrict file upload permissions for subscriber-level users.
While no confirmed active exploitation campaigns have been reported, the vulnerability's ease of exploitation makes it a potential target.
Refer to the AI ChatBot official website or WordPress plugin repository for the latest advisory and update information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.