CVE-2025-11576: CWE-1236 Improper Neutralization of Formula Elements in a CSV File in newcodebyte AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant
The AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.6.5. This is due to insufficient sanitization in the 'newcodebyte_chatbot_export_messages' function. This makes it possible for unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
AI Analysis
Technical Summary
The AI Chatbot Free Models plugin for WordPress suffers from a CSV Injection vulnerability (CWE-1236) due to improper neutralization of formula elements in CSV exports generated by the 'newcodebyte_chatbot_export_messages' function. This allows unauthenticated attackers to embed malicious input into CSV files, which may execute code when opened in spreadsheet software that processes formulas. The vulnerability affects all versions up to and including 1.6.5. The CVSS 3.1 base score is 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N), reflecting network attack vector, low complexity, no privileges required, user interaction needed, unchanged scope, no confidentiality or availability impact, and limited integrity impact.
Potential Impact
An attacker can inject malicious formula code into CSV files exported by the plugin, which may execute when the file is opened by a user in a vulnerable spreadsheet application. This can lead to limited integrity impact such as executing unintended commands or scripts on the local system. There is no direct impact on confidentiality or availability according to the CVSS vector. The vulnerability requires user interaction (opening the CSV file) and does not require authentication to exploit.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should exercise caution when opening CSV files exported from this plugin, especially if received from untrusted sources. Applying input sanitization or filtering on exported CSV content manually may reduce risk. Monitor the vendor's channels for updates or patches addressing this vulnerability.
CVE-2025-11576: CWE-1236 Improper Neutralization of Formula Elements in a CSV File in newcodebyte AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant
Description
The AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.6.5. This is due to insufficient sanitization in the 'newcodebyte_chatbot_export_messages' function. This makes it possible for unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The AI Chatbot Free Models plugin for WordPress suffers from a CSV Injection vulnerability (CWE-1236) due to improper neutralization of formula elements in CSV exports generated by the 'newcodebyte_chatbot_export_messages' function. This allows unauthenticated attackers to embed malicious input into CSV files, which may execute code when opened in spreadsheet software that processes formulas. The vulnerability affects all versions up to and including 1.6.5. The CVSS 3.1 base score is 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N), reflecting network attack vector, low complexity, no privileges required, user interaction needed, unchanged scope, no confidentiality or availability impact, and limited integrity impact.
Potential Impact
An attacker can inject malicious formula code into CSV files exported by the plugin, which may execute when the file is opened by a user in a vulnerable spreadsheet application. This can lead to limited integrity impact such as executing unintended commands or scripts on the local system. There is no direct impact on confidentiality or availability according to the CVSS vector. The vulnerability requires user interaction (opening the CSV file) and does not require authentication to exploit.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should exercise caution when opening CSV files exported from this plugin, especially if received from untrusted sources. Applying input sanitization or filtering on exported CSV content manually may reduce risk. Monitor the vendor's channels for updates or patches addressing this vulnerability.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-10-09T23:55:23.529Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68fb728365a68e4110938108
Added to database: 10/24/2025, 12:35:15 PM
Last enriched: 4/9/2026, 3:55:02 PM
Last updated: 5/10/2026, 5:41:00 AM
Views: 275
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.