ChatBot plugin for WordPress up to 4.8.9 contains a sql_injection caused by insufficient escaping and lack of preparation on the $strid parameter, letting unauthenticated attackers extract sensitive data, exploit requires no authentication. [已公开] id: CVE-2023-5204 info: name: WordPress AI ChatBot (WPBot) <= 4.8.9 - SQL Injection author: Shivam Kamboj severity: critical description: | ChatBot plugin for WordPress up to 4.8.9 contains a sql_injection caused by insufficient escaping and lack of preparation on the $strid parameter, letting unauthenticated attackers extract sensitive data, exploit requires no authentication. impact: | Unauthenticated attackers can execute arbitrary SQL queries, leading to data disclosure and potential database compromise. remediation: | Update to the latest version of the plugin that addresses this vulnerability, or apply security patches provided by the vendor. reference: - https://nvd.nist.gov/vuln/detail/CVE-2023-5204 - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/chatbot/chatbot-489-unauthenticated-sql-injection-via-qc-wpbo-search-response - https://plugins.trac.wordpress.org/browser/chatbot/trunk/qcld-wpwbot-search.php?r

未知