CVE-2024-13091

Name of the Vulnerable Software and Affected Versions WPBot Pro Wordpress Chatbot plugin for WordPress versions up to, and including, 13.5.4

Description The WPBot Pro Wordpress Chatbot plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the qcld wpcfb file upload function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server, which may make remote code execution possible. The exploit requires the ChatBot Conversational Forms plugin and the Conversational Form Builder Pro addon plugin.

Recommendations For WPBot Pro Wordpress Chatbot plugin for WordPress versions up to, and including, 13.5.4, update to a version later than 13.5.4 to resolve the issue. As a temporary workaround, consider disabling the qcld wpcfb file upload function until a patch is available. Restrict access to the ChatBot Conversational Forms plugin and the Conversational Form Builder Pro addon plugin to minimize the risk of exploitation.