AVID-2026-R1318

Description

Vulnerability CVE-2023-5241

Details

The AI ChatBot for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.8.9 as well as 4.9.2 via the qcld_openai_upload_pagetraining_file function. This allows subscriber-level attackers to append “<?php” to any existing file on the server resulting in potential DoS when appended to critical files such as wp-config.php.

Reason for inclusion in AVID: The CVE describes a vulnerability in the WordPress AI ChatBot plugin used to deliver AI chat functionality, enabling directory traversal and potential DoS via the qcld_openai_upload_pagetraining_file function. This is a software vulnerability in a component that is part of the AI deployment/usage stack (AI chatbot integration), thus relevant to AI systems and their supply chain. The issue affects software used to build/run AI features, and the report provides multiple signals (CVE, CVSS, references, and source code references) to support the vulnerability nature and impact.

References

• NVD entry
• https://www.wordfence.com/threat-intel/vulnerabilities/id/25199281-5286-4d75-8d27-26ce215e0993?source=cve
• https://plugins.trac.wordpress.org/browser/chatbot/trunk/includes/openai/qcld-bot-openai.php#L376
• https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2977505%40chatbot%2Ftrunk&old=2967435%40chatbot%2Ftrunk&sfp_email=&sfph_mail=
• http://packetstormsecurity.com/files/175371/WordPress-AI-ChatBot-4.8.9-SQL-Injection-Traversal-File-Deletion.html

Affected or Relevant Artifacts

• Developer: quantumcloud
• Deployer: quantumcloud
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2023-10-19
• Version: 0.3.3
• AVID Entry