[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fzWDFAQWP-WZuNpROebUrM116j3ij6aQpIOnRdochIp4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-40772","geekybot-ai-copilot-chatbot-woocommerce-lead-gen-zero-prompt-content-unauthenticated-arbitrary-file-upload","GeekyBot — AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content \u003C= 1.2.2 - Unauthenticated Arbitrary File Upload","The GeekyBot — AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.","geeky-bot",null,"\u003C=1.2.2","1.2.3","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Unrestricted Upload of File with Dangerous Type","2026-04-21 00:00:00","2026-04-30 15:20:49",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F93495395-42cc-4787-be95-4691ff77d01b?source=api-prod",10,[22,23,24,25,26,27,28],"geeky-bot.php","includes\u002Factivation.php","modules\u002Fgeekybot\u002Fcontroller.php","modules\u002Fgeekybot\u002Fmodel.php","modules\u002Fstories\u002Fmodel.php","modules\u002Fwoocommerce\u002Fmodel.php","readme.txt","researched",false,3,"# Research Plan: CVE-2026-40772 - GeekyBot Arbitrary File Upload\n\n## Vulnerability Summary\nThe **GeekyBot — AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content** plugin (\u003C= 1.2.2) is vulnerable to an unauthenticated arbitrary file upload. The vulnerability exists because the plugin's file upload handling logic (likely in the lead generation or chatbot attachment modules) lacks sufficient file type validation. This allows unauthenticated users to upload executable files (e.g., `.php`) to the server, leading to Remote Code Execution (RCE).\n\nThe vulnerability is reachable through the plugin's custom request handler in `modules\u002Fgeekybot\u002Fcontroller.php`, which manages layout inclusions and module logic based on user-supplied parameters.\n\n## Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Fadmin-ajax.php` (via the plugin's custom AJAX\u002Frequest dispatcher) or the root site `\u002F` with specific parameters.\n- **Action\u002FHook:** The plugin uses an `init` hook (via `GEEKYBOTgeekybotController` instantiation) and custom AJAX filters.\n- **Vulnerable Parameter:** `$_FILES['...']` (likely named `file`, `attachment`, or `bot_custom_img`).\n- **Authentication:** None required (Unauthenticated).\n- **Preconditions:** A valid `geekybot_nonce` must be obtained, which is exposed to unauthenticated users on any page where the chatbot is active.\n\n","The GeekyBot plugin for WordPress is vulnerable to unauthenticated arbitrary file uploads due to missing file type validation and a dynamic method call vulnerability in its product loading logic. Attackers can exploit an effectively disabled nonce check to invoke arbitrary model methods, which can be leveraged to upload executable PHP files to the server.","\u002F* modules\u002Fgeekybot\u002Fmodel.php:466 *\u002F\n function geekybotLoadMoreProducts(){\n $nonce = GEEKYBOTrequest::GEEKYBOT_getVar('_wpnonce');\n if (! wp_verify_nonce( $nonce, 'load-more') ) {\n \u002F\u002F disable nonce\n \u002F\u002F die( 'Security check Failed' ); \n }\n $msg = GEEKYBOTrequest::GEEKYBOT_getVar('msg');\n $data = GEEKYBOTrequest::GEEKYBOT_getVar('data');\n $next_page = GEEKYBOTrequest::GEEKYBOT_getVar('next_page');\n $functionName = GEEKYBOTrequest::GEEKYBOT_getVar('functionName');\n $modelName = GEEKYBOTrequest::GEEKYBOT_getVar('modelName');\n if(!is_array($data)) {\n $data = json_decode($data,true);\n }\n $products = GEEKYBOTincluder::GEEKYBOT_getModel($modelName)->$functionName($msg, $data, $next_page);\n \u002F\u002F save bot response to the session and chat history\n geekybot::$_geekybotsessiondata->geekybot_addChatHistoryToSession($products, 'bot');\n GEEKYBOTincluder::GEEKYBOT_getModel('chathistory')->SaveChathistoryFromchatServer($products, 'bot');\n return $products;\n }","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgeeky-bot\u002F1.2.2\u002Fmodules\u002Fgeekybot\u002Fmodel.php\t2026-03-09 08:35:00.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgeeky-bot\u002F1.2.3\u002Fmodules\u002Fgeekybot\u002Fmodel.php\t2026-04-02 04:18:50.000000000 +0000\n@@ -463,25 +463,74 @@\n return $imgPath;\n }\n \n- function geekybotLoadMoreProducts(){\n+ function geekybotLoadMoreProducts() {\n+ \u002F\u002F 1. STOPS execution if the nonce is invalid\n $nonce = GEEKYBOTrequest::GEEKYBOT_getVar('_wpnonce');\n- if (! wp_verify_nonce( $nonce, 'load-more') ) {\n- \u002F\u002F disable nonce\n- \u002F\u002F die( 'Security check Failed' ); \n+ if (!wp_verify_nonce($nonce, 'load-more')) {\n+ wp_send_json_error('Security check Failed', 403);\n+ exit; \n }\n+\n $msg = GEEKYBOTrequest::GEEKYBOT_getVar('msg');\n $data = GEEKYBOTrequest::GEEKYBOT_getVar('data');\n $next_page = GEEKYBOTrequest::GEEKYBOT_getVar('next_page');\n- $functionName = GEEKYBOTrequest::GEEKYBOT_getVar('functionName');\n $modelName = GEEKYBOTrequest::GEEKYBOT_getVar('modelName');\n- if(!is_array($data)) {\n- $data = json_decode($data,true);\n+ $functionName = GEEKYBOTrequest::GEEKYBOT_getVar('functionName');\n+\n+ \u002F\u002F 2. THE ALLOWLIST MAP\n+ \u002F\u002F This defines exactly which models and functions are publically accessible.\n+ $allowed_map = [\n+ 'woocommerce' => [\n+ 'geekybot_showAllProducts',\n+ 'geekybot_searchProduct',\n+ 'geekybot_getProductsUnderPrice',\n+ 'geekybot_getProductsAbovePrice',\n+ 'geekybot_getProductsBetweenPrice',\n+ 'showProductsList'\n+ ],\n+ 'woocommercepropack' => [\n+ 'geekybot_showAllSaleProducts',\n+ 'geekybot_showAllTrendingProducts',\n+ 'geekybot_showAllLatestProducts',\n+ 'geekybot_showAllHighestRatedProducts',\n+ 'geekybot_viewOrders'\n+ ]\n+ ];\n+\n+ \u002F\u002F 3. VALIDATION LOGIC\n+ \u002F\u002F Check if the model exists in our map\n+ if (!isset($allowed_map[$modelName])) {\n+ wp_send_json_error('Unauthorized Model', 403);\n+ exit;\n }\n- $products = GEEKYBOTincluder::GEEKYBOT_getModel($modelName)->$functionName($msg, $data, $next_page);\n- \u002F\u002F save bot response to the session and chat history\n- geekybot::$_geekybotsessiondata->geekybot_addChatHistoryToSession($products, 'bot');\n- GEEKYBOTincluder::GEEKYBOT_getModel('chathistory')->SaveChathistoryFromchatServer($products, 'bot');\n- return $products;\n+\n+ \u002F\u002F Check if the function is allowed for that specific model\n+ if (!in_array($functionName, $allowed_map[$modelName])) {\n+ wp_send_json_error('Unauthorized Function', 403);\n+ exit;\n+ }\n+\n+ \u002F\u002F 4. SAFE EXECUTION\n+ $model = GEEKYBOTincluder::GEEKYBOT_getModel($modelName);\n+ \n+ \u002F\u002F Final check to ensure the method actually exists in the class\n+ if ($model && method_exists($model, $functionName)) {\n+ \n+ if(!is_array($data)) {\n+ $data = json_decode($data, true);\n+ }\n+\n+ $products = $model->$functionName($msg, $data, $next_page);\n+ \n+ \u002F\u002F save bot response\n+ geekybot::$_geekybotsessiondata->geekybot_addChatHistoryToSession($products, 'bot');\n+ GEEKYBOTincluder::GEEKYBOT_getModel('chathistory')->SaveChathistoryFromchatServer($products, 'bot');\n+ \n+ return $products;\n+ }\n+\n+ wp_send_json_error('Execution failed', 500);\n+ exit;\n }","To exploit this vulnerability, an unauthenticated attacker first obtains a valid 'load-more' nonce, which is typically exposed in the client-side scripts of the chatbot. The attacker then sends a POST request to the plugin's AJAX handler (invoking geekybotLoadMoreProducts) with the 'modelName' and 'functionName' parameters set to target an internal method that handles file processing or image saving. Because the nonce check in version 1.2.2 does not terminate execution on failure and the plugin lacks an allowlist for these dynamic method calls, the attacker can trigger file upload routines with a malicious PHP payload in the $_FILES array, resulting in the creation of a webshell on the server.","gemini-3-flash-preview","2026-05-04 19:02:13","2026-05-04 19:03:09",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","1.2.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgeeky-bot\u002Ftags\u002F1.2.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgeeky-bot.1.2.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgeeky-bot\u002Ftags\u002F1.2.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgeeky-bot.1.2.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgeeky-bot\u002Ftags"]