CVE-2023-5241
🟠 Łataj w tym tygodniu
Wykorzystanie przepełnienia bufora w AI ChatBot for WordPress pozwala na atak DoS.
CVSS
9.6
EPSS
2.5%
Exploit
none
Vendor
quantumcloud
Opis źródłowy (NVD)
The AI ChatBot for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.8.9 as well as 4.9.2 via the qcld_openai_upload_pagetraining_file function. This allows subscriber-level attackers to append "<?php" to any existing file on the server resulting in potential DoS when appended to critical files such as wp-config.php.
dos path-traversal
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 9.6 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 2.5% |
| Opublikowano (NVD) | 2023-10-19 06:15:11 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-08 17:17:06 UTC |
Referencje
- https://plugins.trac.wordpress.org/browser/chatbot/trunk/includes/openai/qcld-bot-openai.php#L376 (security@wordfence.com) [Product]
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2977505%40chatbot%2Ftrunk&old=2967435%40chatbot%2Ftrunk&sfp_email=&sfph_mail= (security@wordfence.com) [Patch]
- https://www.wordfence.com/threat-intel/vulnerabilities/id/25199281-5286-4d75-8d27-26ce215e0993?source=cve (security@wordfence.com) [Third Party Advisory]
- http://packetstormsecurity.com/files/175371/WordPress-AI-ChatBot-4.8.9-SQL-Injection-Traversal-File-Deletion.html (af854a3a-2127-422b-91ae-364da2661108) [Third Party Advisory, VDB Entry]