The Wordfence Threat Intelligence team recently uncovered several vulnerabilities in the AI ChatBot WordPress plugin, which has over 4,000 active installations. After initiating the responsible disclosure process, the team received a prompt response from the plugin vendor and sent over full disclosure details on September 29, 2023. The vendor acknowledged receipt of the disclosure and released a fully patched version of the plugin on October 19, 2023.
To protect customers, a firewall rule was issued to Wordfence Premium, Wordfence Care, and Wordfence Response users on September 29, 2023. Users of the free version of Wordfence will receive the same protection on October 29, 2023. It is important to note that the vulnerabilities were initially fixed in version 4.9.1, released on October 10, 2023, but some were reintroduced in version 4.9.2 and subsequently patched again in version 4.9.3. All Wordfence users are advised to update to version 4.9.3 or higher immediately.
One of the most impactful vulnerabilities discovered was an unauthenticated SQL Injection, which allowed users who were not authenticated to WordPress to interact with the chatbot. The lack of proper preparation and escaping of user-supplied input in the plugin’s code made it vulnerable to exploitation.
Another vulnerability found in the plugin was an arbitrary file deletion issue. This vulnerability allowed an attacker with subscriber-level privileges or higher to remove critical files from the affected website, leading to a complete site takeover. This issue was initially removed in version 4.9.1, reintroduced in version 4.9.2, and finally removed again in version 4.9.3.
The AI ChatBot plugin also contained an arbitrary file write vulnerability, which was exploitable through directory traversal using the filename parameter. An authenticated attacker with subscriber-level privileges or higher could exploit this vulnerability to append unauthorized content to critical files, potentially leading to denial of service.
In summary, the Wordfence Threat Intelligence team discovered and reported multiple vulnerabilities in the AI ChatBot WordPress plugin, which have since been patched by the vendor. Users are strongly advised to update to version 4.9.3 or higher to protect against potential exploitation. Additionally, Wordfence has provided protection to its premium, care, and response users, with free users set to receive the same protection soon.
Read Full Article