◈ AI Security Intelligence ← Daily feed
Vulnerability  ·  2026-06-17

ChatBot WordPress Plugin — Subscriber Broken Access Control (CVE-2026-40788)

VulnerabilityHigh impactGlobalCVE-2026-40788
What happened
CVE-2026-40788 (CVSS 7.1 HIGH) published 2026-06-15. The ChatBot WordPress plugin in versions ≤ 7.9.7 contains broken access control exploitable by subscriber-level users, allowing them to access privileged chatbot management functionality.
Why it matters
Chatbot plugins store conversation logs and may hold LLM API keys in WordPress. Access control bypass allows low-privilege site members to access sensitive conversation data or manipulate chatbot configurations.
Attack vector
An authenticated subscriber-level WordPress user exploits broken access control in the ChatBot plugin to access functionality or data restricted to higher-privileged users.
Affected systems
ChatBot WordPress plugin ≤ 7.9.7
Mitigation
Update ChatBot plugin to version > 7.9.7. Patchstack advisory: https://patchstack.com/database/wordpress/plugin/chatbot/vulnerability/wordpress-chatbot-plugin-7-9-7-broken-access-control-vulnerability
Sources
Patchstack Advisory — ChatBot Broken Access ControlNVD CVE-2026-40788
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →