What happened
CVE-2026-57362 (CVSS 7.1 High) was published to NVD on 2 July 2026. The ChatBot WordPress plugin ≤ 8.3.2 contains an unauthenticated reflected XSS vulnerability. User-supplied input is reflected into the response without adequate HTML or JavaScript escaping.
Why it matters
AI chatbot plugins are common entry points on WordPress sites. Reflected XSS targeting admin sessions can lead to account takeover and site compromise, allowing attackers to modify chatbot configurations, exfiltrate API keys used to connect to OpenAI or other LLM providers, or redirect end-users to malicious content.
Attack vector
An unauthenticated attacker crafts a URL containing a malicious payload that is reflected unsanitised by the ChatBot plugin. If an authenticated administrator visits the crafted URL, the script executes in their browser session.
Affected systems
ChatBot WordPress plugin ≤ 8.3.2
Mitigation
Update ChatBot plugin to version 8.3.3 or later. NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-57362