A critical SQL Injection vulnerability has been identified in the WordPress AI ChatBot plugin. This vulnerability could allow a malicious actor to directly interact with your database, including but not limited to stealing information.

This vulnerability was discovered and responsibly reported by Marco Wotschka.

The vulnerability is an SQL Injection vulnerability that occurs in the chatbot.php file. The vulnerability allows an attacker to exploit a flaw in the way that the plugin handles user input to inject malicious SQL code into the database.


The vulnerability has a CVSS 3.1 score of 9.8, which is considered to be critical. This means that the vulnerability is very likely to be exploited and could have a severe impact on the affected system.

Affected Versions:

All versions of the ChatBot plugin prior to 4.9.1 are affected by this vulnerability.


An attacker who successfully exploits this vulnerability could:

  • Steal sensitive information from your database, such as user passwords, credit card numbers, and other sensitive data.
  • Modify or delete data in your database.
  • Disable your website or database.
  • Take complete control of your website and database.


To secure the WordPress website and protect it from this grave threat, the following actions are imperative:

  1. Update the Plugin: Users of the ChatBot plugin are strongly advised to update to the latest available version (at least 4.9.1) as soon as possible. This update includes critical security patches to rectify the SQL Injection vulnerability.
  2. Regularly Update Plugins: Beyond this critical update, make it a standard practice to regularly update all WordPress plugins and themes to their latest versions. Maintaining website components up to date is a fundamental security measure.