Vulnerability  ·  2026-07-03

ChatBot WordPress Plugin — Unauthenticated Reflected XSS (CVE-2026-57362)

VulnerabilityMedium impactGlobalCVE-2026-57362
CVE-2026-57362 (CVSS 7.1 High) was published to NVD on 2 July 2026. The ChatBot WordPress plugin ≤ 8.3.2 contains an unauthenticated reflected XSS vulnerability. User-supplied input is reflected into the response without adequate HTML or JavaScript escaping.
AI chatbot plugins are common entry points on WordPress sites. Reflected XSS targeting admin sessions can lead to account takeover and site compromise, allowing attackers to modify chatbot configurations, exfiltrate API keys used to connect to OpenAI or other LLM providers, or redirect end-users to malicious content.
An unauthenticated attacker crafts a URL containing a malicious payload that is reflected unsanitised by the ChatBot plugin. If an authenticated administrator visits the crafted URL, the script executes in their browser session.
ChatBot WordPress plugin ≤ 8.3.2
Update ChatBot plugin to version 8.3.3 or later. NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-57362
Sources
NVD — CVE-2026-57362GitHub Advisory GHSA-3pc2-v6g3-vwg9
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →