CVE-2024-13091
Published: 22 January 2025
Description
The WPBot Pro Wordpress Chatbot plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'qcld_wpcfb_file_upload' function in all versions up to, and including, 13.5.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The exploit requires thee ChatBot Conversational Forms plugin and the Conversational Form Builder Pro addon plugin.
Security Summary
CVE-2024-13091 is an arbitrary file upload vulnerability in the WPBot Pro WordPress Chatbot plugin for WordPress, affecting all versions up to and including 13.5.4. The flaw stems from missing file type validation in the 'qcld_wpcfb_file_upload' function. Exploitation requires the additional presence of the ChatBot Conversational Forms plugin and the Conversational Form Builder Pro addon plugin.
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity, no privileges, and no user interaction, earning it a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful attacks enable uploading arbitrary files to the affected site's server, which may lead to remote code execution, tied to CWE-434 (Unrestricted Upload of File with Dangerous Type).
Advisories including the Wordfence threat intelligence report (https://www.wordfence.com/threat-intel/vulnerabilities/id/0f9b6979-2662-4d2f-9656-b880dd80832c?source=cve) and the vendor site (https://www.wpbot.pro/) provide further details on the issue, published on 2025-01-22.
Details
- CWE(s)