CVE-2023-1650

The AI ChatBot WordPress plugin before 4.4.7 unserializes user input from cookies via an AJAX action available to unauthenticated users, which could allow them to perform PHP Object Injection when a suitable gadget is present on the blog

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://wpscan.com/vulnerability/7d7fe498-0aa3-4fa7-b560-610b42b2abed	Exploit Third Party Advisory
https://wpscan.com/vulnerability/7d7fe498-0aa3-4fa7-b560-610b42b2abed	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:quantumcloud:wpbot:*:*:*:*:*:wordpress:*:*

History

12 May 2025, 15:09

Type	Values Removed	Values Added
First Time		Quantumcloud wpbot
CPE	cpe:2.3:a:quantumcloud:ai_chatbot::::::wordpress::*	cpe:2.3:a:quantumcloud:wpbot::::::wordpress::*

21 Nov 2024, 07:39

Type	Values Removed	Values Added
References	~~() https://wpscan.com/vulnerability/7d7fe498-0aa3-4fa7-b560-610b42b2abed - Exploit, Third Party Advisory~~	() https://wpscan.com/vulnerability/7d7fe498-0aa3-4fa7-b560-610b42b2abed - Exploit, Third Party Advisory

Information

Published : 2023-05-08 14:15

Updated : 2025-05-12 15:09

NVD link : CVE-2023-1650

Mitre link : CVE-2023-1650

CVE.ORG link : CVE-2023-1650

JSON object : View

Products Affected

quantumcloud

wpbot

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2023-1650", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2023-05-08T14:15:12.747", "references": [{"url": "https://wpscan.com/vulnerability/7d7fe498-0aa3-4fa7-b560-610b42b2abed", "tags": ["Exploit", "Third Party Advisory"], "source": "contact@wpscan.com"}, {"url": "https://wpscan.com/vulnerability/7d7fe498-0aa3-4fa7-b560-610b42b2abed", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-502"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "The AI ChatBot WordPress plugin before 4.4.7 unserializes user input from cookies via an AJAX action available to unauthenticated users, which could allow them to perform PHP Object Injection when a suitable gadget is present on the blog"}], "lastModified": "2025-05-12T15:09:58.850", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:quantumcloud:wpbot:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "2D8C0E44-F031-4CA8-BB08-92EBE9104EDE", "versionEndExcluding": "4.4.7"}], "operator": "OR"}]}], "sourceIdentifier": "contact@wpscan.com"}