What happened
The QuantumCloud ChatBot WordPress plugin (<=8.3.7) contains a stored XSS vulnerability (CVSS 7.1).
Why it matters
Narrow blast radius limited to WordPress sites running this specific AI chatbot plugin, but stored XSS in a chatbot widget could be used to hijack admin sessions or manipulate chatbot configuration seen by site visitors.
Attack vector
Improper neutralization of input during web page generation allows an attacker to store malicious script content that executes in the context of site visitors/admins interacting with the chatbot.
Affected systems
QuantumCloud ChatBot chatbot plugin, through <= 8.3.7
Mitigation
Update to a patched version beyond 8.3.7 per Patchstack advisory.