A Directory Traversal vulnerability has been identified in the WordPress AI ChatBot plugin. This vulnerability could allow a malicious actor to see all files in a given directory or determine if certain files/directories exist in a given folder. This information can be used to exploit other weaknesses in the system.

This vulnerability was discovered and responsibly reported by Marco Wotschka.

The vulnerability is a Directory Traversal vulnerability that occurs in the chatbot.php file. The vulnerability allows an attacker to exploit a flaw in the way that the plugin handles user input to access files outside of the plugin’s directory.

Severity:

The vulnerability has a CVSS 3.1 score of 9.8, which is considered to be critical. This means that the vulnerability is very likely to be exploited and could have a severe impact on the affected system.

Affected Versions:

All versions of the ChatBot plugin prior to 4.9.1 are affected by this vulnerability.

Impact:

An attacker who successfully exploits this vulnerability could:

  • See all files in a given directory, including sensitive files such as configuration files, database backups, and user passwords.
  • Determine if certain files or directories exist on the server.
  • Use this information to exploit other weaknesses in the system.

Recommendation:

To bolster WordPress website’s security, it’s crucial to take the following measures:

  1. Update the Plugin: Immediately update the WordPress AI ChatBot Plugin to the latest version, specifically version 4.9.1 or higher. This update includes vital security fixes to eliminate the Directory Traversal vulnerability.
  2. Regularly Update Plugins: Don’t limit updates to this plugin alone. Make it a practice to regularly update all WordPress plugins and themes to their latest versions. Keeping your website components current is a foundational security measure.
  3. Enhance Security Measures: Consider implementing additional security precautions, such as web application firewalls (WAFs), robust authentication protocols, and routine security audits. A comprehensive security strategy is essential to minimize potential exploitation attempts.