Several Critical Vulnerabilities Patched in AI ChatBot Plugin for WordPress
On September 28, 2023, the Wordfence Threat Intelligence team initiated the responsible disclosure process for multiple vulnerabilities in AI ChatBot, a WordPress plugin with over 4,000 active installations.
After making our initial contact attempt on September 28th, 2023, we received a response on September 29, 2023 and sent over our full disclosure details. Receipt of the disclosure by the vendor was acknowledged the same day and a fully patched version of the plugin was released on October 19, 2023.
We issued a firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers on September 29, 2023. Sites still running the free version of Wordfence will receive the same protection on October 29, 2023.
Please note that these vulnerabilities were originally fixed in 4.9.1 (released October 10, 2023). However, some of them were reintroduced in 4.9.2 and then subsequently patched again in 4.9.3. We recommend that all Wordfence users update to version 4.9.3 or higher immediately.
A complete list of the vulnerabilities we reported is below. Links to Wordfence Intelligence are included where you can find full details:
- Unauthenticated SQL Injection (CVSS Score 9.8 – CVE-2023-5204)
- Authenticated (Subscriber+) Directory Traversal to Arbitrary File Write via qcld_openai_upload_pagetraining_file (CVSS Score 9.6 – CVE-2023-5241)
- Authenticated (Subscriber+) Arbitrary File Deletion via qcld_openai_delete_training_file (CVSS Score 9.6 – CVE-2023-5212)
- Unauthenticated Sensitive Information Exposure via qcld_wb_chatbot_check_user (CVSS Score 5.3 – CVE-2023-5254)
- Missing Authorization on AJAX actions (CVSS Score 5.3 – CVE-2023-5533)
- Cross-Site Request Forgery on AJAX actions (CVSS Score 4.3 – CVE-2023-5534)
In this post we will focus on the most impactful vulnerabilities.
Vulnerability Details and Technical Analysis
The AI ChatBot plugin provides website owners with a plug and play chat solution that can be expanded upon with customizable FAQs and custom text responses. It provides website users with an interface that allows them to look up order information, leave contact information for later callbacks and can be integrated with OpenAI’s ChatGPT or Google’s DialogFlow.
A lot of the interactions with the chatbot happen via AJAX actions. Many of these actions were made available to unauthenticated users in order to allow them to interact with the chatbot. Other actions required at least subscriber-level access.
Unauthenticated SQL Injection – CVE-2023-5204
Description: Unauthenticated SQL Injection via qc_wpbo_search_response
Affected Plugin: AI ChatBot
Plugin slug: chatbot
Affected versions: wpaicg_max_file_size)
In a default installation
$this->wpaicg_max_file_size is not defined and therefore
NULL. Hence, in such scenarios the function adds the first line of the file specified by the user to the end of the file. Since
NULL is interpreted as zero in a comparison statement like this, any positive file size will suffice to break out of this part of the function.
Unfortunately, this code is vulnerable to Directory Traversal via the filename parameter. If the filename that is passed is a relative path to wp-config.php, the file handle will ultimately point to the site’s wp-config.php file. An authenticated attacker with subscriber-privileges or higher could utilize this fact to append the first line of its content to the file wp-config.php, which would be