There is a serious security vulnerability that has been discovered in the popular AI ChatBot for WordPress, which could enable attackers to exploit a Directory Traversal vulnerability in the software. The problem affects versions up to and including 4.8.9 as well as 4.9.2 and has been discovered in the qcld_openai_upload_pagetraining_file function. Attackers with only subscriber-level access can potentially append "
Code snippet
The code snippet that makes the AI ChatBot vulnerable to Directory Traversal is in the plugin's qcld_openai_upload_pagetraining_file function:
function qcld_openai_upload_pagetraining_file(){
$upload_dir = wp_upload_dir();
$uploaded_file = $upload_dir['basedir'] . sanitize_file_name($_FILES['page_training_file']['name']);
move_uploaded_file($_FILES['page_training_file']['tmp_name'], $uploaded_file);
}
Exploit details
By exploiting the Directory Traversal vulnerability, an attacker can potentially append "
/wp-admin/admin-ajax.php?action=qcld_openai_upload_pagetraining_file&file=../wp-config.php&content=<?php
This modification could result in a Denial of Service (DoS) attack since critical files like wp-config.php are essential for the proper operation of a WordPress site.
Original references
Researchers have published the details of this vulnerability for public awareness. Here are some useful links to understand more about CVE-2023-5241:
1. Official CVE Details: (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5241)
2. Exploit Database: (https://www.exploit-db.com/exploits/52341)
3. WP Vulnerability Database: (https://wpvulndb.com/vulnerabilities/12473)
Mitigations and solutions
To secure your WordPress installation and protect your website from this critical vulnerability, you should update the AI ChatBot plugin to the latest available version. The plugin developers have released security patches to fix this Directory Traversal vulnerability in versions 4.8.9 and 4.9.2.
Additionally, make sure your WordPress installation is up-to-date and apply best security practices like using strong and unique passwords, two-factor authentication (2FA) and keeping regular backups of your website.
Conclusion
The CVE-2023-5241 vulnerability in the AI ChatBot for WordPress affects versions 4.8.9 and 4.9.2 and poses a significant security risk for your website. It's essential to update the plugin to the latest available version and follow the best security practices to protect your WordPress site from such threats in the future. By sharing this information, we aim to raise awareness about cybersecurity and help protect the wider WordPress community.
Timeline
Published on: 10/19/2023 06:15:11 UTC
Last modified on: 12/22/2023 19:02:58 UTC