Vulnerability  ·  2026-07-03

WPBot AI ChatBot for WordPress — Authenticated Stored XSS via Conversation Parameter (CVE-2026-13731)

VulnerabilityMedium impactGlobalCVE-2026-13731
CVE-2026-13731 (CVSS 7.2 High) was published to NVD on 1 July 2026. The WPBot AI ChatBot plugin for WordPress is vulnerable to stored XSS via the 'conversation' parameter in all versions up to and including 8.4.9, due to insufficient input sanitisation and output escaping.
AI chatbot plugins process and log user-supplied conversation content that is then displayed in admin dashboards. Stored XSS in an AI chat log UI can be exploited to hijack administrator sessions on sites relying on the chatbot for live support or lead generation, potentially leading to site takeover.
An authenticated user (minimum role not specified in seed) supplies a malicious payload in the 'conversation' parameter. Insufficient input sanitisation and output escaping causes the payload to be stored and rendered as HTML/JS when any user views the conversation.
WPBot – AI ChatBot for Live Support, Lead Generation, AI Services (WordPress plugin) ≤ 8.4.9
Update WPBot plugin to version 8.5.0 or later. NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-13731
Sources
NVD — CVE-2026-13731
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →