Skip to main content

CVE-2023-5691: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in collectchat Collect.chat Chatbot ⚡️

Medium
VulnerabilityCVE-2023-5691cvecve-2023-5691cwe-79
Published: Thu Jan 11 2024 (01/11/2024, 08:33:04 UTC)
Source: CVE Database V5
Vendor/Project: collectchat
Product: Collect.chat Chatbot ⚡️

Description

The Chatbot for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in version 2.3.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

AI-Powered Analysis

AILast updated: 07/04/2025, 16:41:40 UTC

Technical Analysis

CVE-2023-5691 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Collect.chat Chatbot plugin for WordPress, specifically version 2.3.9. This vulnerability arises due to improper neutralization of input during web page generation, classified under CWE-79. The flaw exists in the admin settings interface of the plugin where insufficient input sanitization and output escaping allow an authenticated attacker with administrator-level permissions or higher to inject arbitrary malicious scripts. These scripts are then stored and executed whenever any user accesses the compromised page. The vulnerability is limited to multi-site WordPress installations or those where the 'unfiltered_html' capability is disabled, which restricts users from posting unfiltered HTML content. Exploitation requires high privileges (admin or above) and does not require user interaction once the malicious script is injected, as the payload executes automatically upon page load. The CVSS v3.1 base score is 4.4 (medium severity), reflecting the network attack vector, high attack complexity, required privileges, no user interaction, and limited confidentiality and integrity impact without availability impact. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability could be leveraged to perform actions such as session hijacking, defacement, or further privilege escalation within affected WordPress environments.

Potential Impact

For European organizations, this vulnerability poses a moderate risk primarily to those using WordPress multi-site setups with the Collect.chat Chatbot plugin version 2.3.9. Since exploitation requires administrator-level access, the threat is more about post-compromise persistence and lateral movement rather than initial breach. Successful exploitation could lead to theft of sensitive information such as session cookies or credentials, unauthorized actions performed on behalf of users, or distribution of malicious content to site visitors. This could damage organizational reputation, lead to data breaches under GDPR regulations, and cause operational disruptions. The impact is heightened in sectors with strict compliance requirements or high-value targets such as government, finance, healthcare, and e-commerce. However, the medium CVSS score and the requirement for high privileges limit the scope of immediate widespread exploitation. Organizations with multi-site WordPress deployments and restrictive HTML filtering are the most vulnerable, and failure to address this could enable attackers to maintain persistence and escalate attacks within the network.

Mitigation Recommendations

To mitigate this vulnerability, European organizations should first verify if they are running the affected Collect.chat Chatbot plugin version 2.3.9 on multi-site WordPress installations or installations with 'unfiltered_html' disabled. Immediate steps include: 1) Restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA). 2) Monitor and audit admin settings pages for unauthorized or suspicious script injections. 3) Apply any available vendor patches or updates as soon as they are released; if no patch is available, consider temporarily disabling the plugin or reverting to a previous safe version. 4) Implement Web Application Firewalls (WAF) with rules to detect and block XSS payloads targeting admin interfaces. 5) Conduct regular security reviews and penetration testing focusing on multi-site WordPress environments. 6) Educate administrators on secure input handling and the risks of stored XSS. 7) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. These targeted measures go beyond generic advice by focusing on the specific conditions and attack vectors of this vulnerability.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Wordfence
Date Reserved
2023-10-20T19:07:22.844Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 683f034a182aa0cae27e661b

Added to database: 6/3/2025, 2:14:34 PM

Last enriched: 7/4/2025, 4:41:40 PM

Last updated: 8/12/2025, 4:59:40 AM

Views: 12

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats