[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f0LIbuBCpol0X1aHdKfrsGFbAjRLPWgTgrO9e6d0u0FE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-32499","wpbot-ai-chatbot-for-live-support-lead-generation-ai-services-unauthenticated-sql-injection","WPBot – AI ChatBot for Live Support, Lead Generation, AI Services \u003C= 7.7.9 - Unauthenticated SQL Injection","The WPBot – AI ChatBot for Live Support, Lead Generation, AI Services plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 7.7.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","chatbot",null,"\u003C=7.7.9","7.8.0","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-03-20 00:00:00","2026-03-26 20:36:36",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ffb1a977f-e5ce-425b-8817-c03b2a660265?source=api-prod",7,[22,23,24,25],"js\u002Fqcld-wp-chatbot-plugin.js","qcld-wpwbot-search.php","qcld-wpwbot.php","readme.txt","researched",false,3,"This research plan outlines the steps required to exploit an unauthenticated SQL injection vulnerability in the WPBot plugin for WordPress.\n\n### 1. Vulnerability Summary\nThe **WPBot** plugin (versions \u003C= 7.7.9) is vulnerable to an unauthenticated SQL injection. The vulnerability exists in the `wpbo_search_site` function (found in `qcld-wpwbot-search.php`), specifically when the `enable_wp_chatbot_post_content` option is enabled. The plugin fails to properly escape the `keyword` parameter before using it in a SQL fragment within the `wpbot_flexible_search_filter` function, which is attached to the WordPress `posts_search` filter.\n\n### 2. Attack Vector Analysis\n*   **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **AJAX Action**: `wpbo_search_site` (inferred from function name and standard plugin patterns)\n*   **Vulnerable Parameter**: `keyword`\n*   **Authentication**: Unauthenticated (the plugin registers `wp_ajax_nopriv_wpbo_search_site`)\n*   **Precondition**: The WordPress option `enable_wp_chatbot_post_content` must be set to `1`.\n\n### 3. Code Flow\n1.  **Entry Point**: An unauthenticated user sends a POST request to `admin-ajax.php` with `action=wpbo_search_site`.\n2.  **Handler**: The function `wpbo_search_site()` in `qcld-wpwbot-search.php` is executed.\n3.  **Input Handling**: \n    *   The code retrieves `$keyword` from `$_POST['keyword']` and passes it through `sanitize_text_field()`.\n    *   `sanitize_text_field()` strips HTML tags but **does not** escape SQL metacharacters like single quotes (`'`).\n4.  **Word Variations**: The function `_wpbot_generate","The WPBot plugin for WordPress is vulnerable to unauthenticated SQL injection through the wpbo_search_site_pagination AJAX action. This occurs due to the improper use of sanitize_text_field() instead of WordPress prepared statements, allowing attackers to inject SQL commands via the 'keyword' and 'type' parameters.","\u002F\u002F qcld-wpwbot-search.php line 320\nfunction wpbo_search_site_pagination() {\n\tglobal $wpdb;\n\n\t$keyword           = sanitize_text_field( $_POST['keyword'] );\u002F\u002F phpcs:ignore WordPress.Security.NonceVerification.Missing\n\t$post_type         = sanitize_text_field( $_POST['type'] );\u002F\u002F phpcs:ignore WordPress.Security.NonceVerification.Missing\n\t$page              = sanitize_text_field( $_POST['page'] );\u002F\u002F phpcs:ignore WordPress.Security.NonceVerification.Missing\n\t$enable_post_types = get_option( 'wppt_post_types' );\n\n    \u002F\u002F ... (logic for search settings)\n\n\t$searchkeyword = qcld_wpbot_modified_keyword( $keyword );\n\n    \u002F\u002F ...\n\n\t\u002F\u002F qcld-wpwbot-search.php line 350\n\tif ( get_option( 'active_advance_query' ) != '1' ) {\n\t\t$sql   = 'SELECT * FROM ' . $wpdb->prefix . \"posts where post_type in ('\" . $post_type . \"') and post_status='publish' and ((post_title LIKE '%\" . $searchkeyword . \"%')) order by ID DESC\";\n\t\t$limit = ' Limit 0, ' . $searchlimit;\n\t} else {\n\t\t\u002F\u002F advance query building\n\t\t$sql   = 'SELECT * FROM ' . $wpdb->prefix . \"posts where post_type in ('\" . $post_type . \"') and post_status='publish' and ((post_title REGEXP '\\\\b\" . $searchkeyword . \"\\\\b') or (post_content REGEXP '\\\\b\" . $searchkeyword . \"\\\\b')) order by ID DESC\";\n\t\t$limit = ' Limit 0, ' . $searchlimit;\n\t}\n\t$total_results = $wpdb->get_results( $sql );\n\n\tif ( ! empty( $total_results ) ) {\n        \u002F\u002F ...\n\t\tif ( $orderby != 'none' or $orderby != 'rand' ) {\n\t\t\t$sql .= \" order by $orderby $order\";\n\t\t}\n\t\t$limit = ' Limit ' . ( $total_items * $page ) . \", $total_items\";\n\n\t\t$results = $wpdb->get_results( $sql . $limit );\n\t} else {","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fchatbot\u002F7.7.9\u002Fjs\u002Fqcld-wp-chatbot-plugin.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fchatbot\u002F7.8.0\u002Fjs\u002Fqcld-wp-chatbot-plugin.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fchatbot\u002F7.7.9\u002Fjs\u002Fqcld-wp-chatbot-plugin.js\t2026-02-13 12:31:24.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fchatbot\u002F7.8.0\u002Fjs\u002Fqcld-wp-chatbot-plugin.js\t2026-02-17 08:42:16.000000000 +0000\n@@ -2238,7 +2238,7 @@\n                     var post_type = obj.attr('data-post_type');\n                     var page = obj.attr('data-page');\n                     obj.text('Loading...');\n-                    var data = {'action':'wpbo_search_site_pagination','name':globalwpw.hasNameCookie,'keyword':keyword,'language': globalwpw.settings.obj.language,'type': post_type, 'page': page};\n+                    var data = {'action':'wpbo_search_site_pagination','name':globalwpw.hasNameCookie,'keyword':keyword,'language': globalwpw.settings.obj.language,'type': post_type, 'page': page, 'nonce': qcld_chatbot_obj.nonce};\n                     if($(globalwpw.settings.messageLastChild+' .wp-chatbot-comment-loader').length==0){\n                         $(globalwpw.settings.messageContainer).append(wpwKits.botPreloader());\n                     }\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fchatbot\u002F7.7.9\u002Fqcld-wpwbot-search.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fchatbot\u002F7.8.0\u002Fqcld-wpwbot-search.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fchatbot\u002F7.7.9\u002Fqcld-wpwbot-search.php\t2026-02-13 12:31:24.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fchatbot\u002F7.8.0\u002Fqcld-wpwbot-search.php\t2026-02-17 08:42:16.000000000 +0000\n@@ -320,9 +320,23 @@\n function wpbo_search_site_pagination() {\n \tglobal $wpdb;\n \n-\t$keyword           = sanitize_text_field( $_POST['keyword'] );\u002F\u002F phpcs:ignore WordPress.Security.NonceVerification.Missing\n-\t$post_type         = sanitize_text_field( $_POST['type'] );\u002F\u002F phpcs:ignore WordPress.Security.NonceVerification.Missing\n-\t$page              = sanitize_text_field( $_POST['page'] );\u002F\u002F phpcs:ignore WordPress.Security.NonceVerification.Missing\n+\t\u002F\u002F Verify nonce for security\n+\tif ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( $_POST['nonce'], 'wpbot_search_nonce' ) ) {\n+\t\twp_send_json_error( array( 'message' => 'Security check failed' ) );\n+\t\twp_die();\n+\t}\n+\n+\t\u002F\u002F Sanitize and validate inputs\n+\t$keyword           = isset( $_POST['keyword'] ) ? sanitize_text_field( $_POST['keyword'] ) : '';\n+\t$post_type         = isset( $_POST['type'] ) ? sanitize_text_field( $_POST['type'] ) : 'post';\n+\t$page              = isset( $_POST['page'] ) ? absint( $_POST['page'] ) : 0;\n+\t\n+\t\u002F\u002F Validate post type against allowed types\n+\t$allowed_post_types = array( 'post', 'page', 'product' );\n+\tif ( ! in_array( $post_type, $allowed_post_types, true ) ) {\n+\t\t$post_type = 'post';\n+\t}\n+\n \t$enable_post_types = get_option( 'wppt_post_types' );\n \t$load_more         = maybe_unserialize( get_option( 'qlcd_wp_chatbot_load_more' ) );\n \n@@ -332,14 +346,17 @@\n \tif ( is_array( $load_more ) ) {\n \t\t$load_more = $load_more[ array_rand( $load_more ) ];\n \t}\n-\t$searchlimit = ( get_option( 'wppt_number_of_result' ) == '' ? '5' : get_option( 'wppt_number_of_result' ) );\n+\t$searchlimit = ( get_option( 'wppt_number_of_result' ) == '' ? 5 : absint( get_option( 'wppt_number_of_result' ) ) );\n \t$orderby     = ( get_option( 'wppt_result_orderby' ) == '' ? 'none' : get_option( 'wppt_result_orderby' ) );\n \t$order       = ( get_option( 'wppt_result_order' ) == '' ? 'ASC' : get_option( 'wppt_result_order' ) );\n \t$thumb       = ( get_option( 'wpbot_search_image_size' ) ? get_option( 'wpbot_search_image_size' ) : 'thumbnail' );\n \t\u002F\u002F order by setup\n \t$new_window = get_option( 'wpbot_search_result_new_window' );\n \n-\t$total_items = get_option( 'wppt_number_of_result' );\n+\t$total_items = absint( get_option( 'wppt_number_of_result' ) );\n+\tif ( $total_items \u003C 1 ) {\n+\t\t$total_items = 5;\n+\t}\n \n \t$searchkeyword = qcld_wpbot_modified_keyword( $keyword );\n \n@@ -347,19 +364,42 @@\n \t$response['status'] = 'fail';\n \t$response['html']   = '';\n \n-\t\u002F\u002F $sql = \"SELECT * FROM \". $wpdb->prefix.\"posts where post_type in ('\".$post_type.\"') and post_status='publish' and ((post_title REGEXP '\\\\b\".$searchkeyword.\"\\\\b'))\";\n+\t\u002F\u002F Use prepared statements to prevent SQL injection\n \tif ( get_option( 'active_advance_query' ) != '1' ) {\n-\t\t$sql   = 'SELECT * FROM ' . $wpdb->prefix . \"posts where post_type in ('\" . $post_type . \"') and post_status='publish' and ((post_title LIKE '%\" . $searchkeyword . \"%')) order by ID DESC\";\n-\t\t$limit = ' Limit 0, ' . $searchlimit;\n+\t\t\u002F\u002F Simple query - search in post_title only\n+\t\t$sql = $wpdb->prepare(\n+\t\t\t\"SELECT * FROM {$wpdb->prefix}posts \n+\t\t\tWHERE post_type = %s \n+\t\t\tAND post_status = 'publish' \n+\t\t\tAND post_title LIKE %s \n+\t\t\tORDER BY ID DESC\",\n+\t\t\t$post_type,\n+\t\t\t'%' . $wpdb->esc_like( $searchkeyword ) . '%'\n+\t\t);\n \t} else {\n-\t\t\u002F\u002F advance query building\n-\t\t$sql   = 'SELECT * FROM ' . $wpdb->prefix . \"posts where post_type in ('\" . $post_type . \"') and post_status='publish' and ((post_title REGEXP '\\\\b\" . $searchkeyword . \"\\\\b') or (post_content REGEXP '\\\\b\" . $searchkeyword . \"\\\\b')) order by ID DESC\";\n-\t\t$limit = ' Limit 0, ' . $searchlimit;\n+\t\t\u002F\u002F Advanced query - search in both post_title and post_content\n+\t\t$sql = $wpdb->prepare(\n+\t\t\t\"SELECT * FROM {$wpdb->prefix}posts \n+\t\t\tWHERE post_type = %s \n+\t\t\tAND post_status = 'publish' \n+\t\t\tAND (post_title REGEXP %s OR post_content REGEXP %s) \n+\t\t\tORDER BY ID DESC\",\n+\t\t\t$post_type,\n+\t\t\t'[[:\u003C:]]' . $searchkeyword . '[[:>:]]',\n+\t\t\t'[[:\u003C:]]' . $searchkeyword . '[[:>:]]'\n+\t\t);\n \t}\n+\t\n \t$total_results = $wpdb->get_results( $sql );","1. Endpoint: Send an unauthenticated POST request to \u002Fwp-admin\u002Fadmin-ajax.php.\n2. Action: Set the 'action' parameter to 'wpbo_search_site_pagination'.\n3. Parameters: \n   - 'keyword': Provide a keyword (e.g., 'test').\n   - 'type': Provide a SQL injection payload (e.g., \"post') OR (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -\"). This parameter is used directly in a SQL query's 'IN' clause.\n4. Vulnerability mechanism: The plugin uses sanitize_text_field() on inputs but fails to use $wpdb->prepare(). This allows an attacker to break out of the single-quoted string context in the query and append malicious SQL syntax.\n5. Preconditions: No specific options are strictly required for wpbo_search_site_pagination, although the plugin's search features must be active (default behavior).","gemini-3-flash-preview","2026-04-18 01:36:47","2026-04-18 01:37:39",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","7.7.9","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fchatbot\u002Ftags\u002F7.7.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fchatbot.7.7.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fchatbot\u002Ftags\u002F7.8.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fchatbot.7.8.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fchatbot\u002Ftags"]