What happened
CVE-2026-13731 (CVSS 7.2 High) was published to NVD on 1 July 2026. The WPBot AI ChatBot plugin for WordPress is vulnerable to stored XSS via the 'conversation' parameter in all versions up to and including 8.4.9, due to insufficient input sanitisation and output escaping.
Why it matters
AI chatbot plugins process and log user-supplied conversation content that is then displayed in admin dashboards. Stored XSS in an AI chat log UI can be exploited to hijack administrator sessions on sites relying on the chatbot for live support or lead generation, potentially leading to site takeover.
Attack vector
An authenticated user (minimum role not specified in seed) supplies a malicious payload in the 'conversation' parameter. Insufficient input sanitisation and output escaping causes the payload to be stored and rendered as HTML/JS when any user views the conversation.
Affected systems
WPBot – AI ChatBot for Live Support, Lead Generation, AI Services (WordPress plugin) ≤ 8.4.9
Mitigation
Update WPBot plugin to version 8.5.0 or later. NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-13731