WPBot is a WordPress plugin that provides an AI-powered chatbot for websites, enabling live chat support, lead generation, and data collection. It integrates with OpenAI, ChatGPT, and other LLM services, while also offering built-in automated support without external AI dependencies.
A Stored Cross-Site Scripting (XSS) vulnerability was discovered in WPBot Lite that allows users to inject malicious scripts via the FAQ Builder, affecting users with sufficient access (such as contributors or admins reviewing FAQs). This vulnerability can lead to account compromise, data exfiltration, and site takeover.
| CVE | CVE-2025-8891 |
| Plugin Version | WPBOT |
| Critical | High |
| All Time | 885 099 |
| Active installations | 7 000+ |
| Publicly Published | Aug 20, 2025 |
| Last Updated | Aug 20, 2025 |
| Researcher | Artyom Krugov |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9111 https://wpscan.com/vulnerability/5845bcff-beb8-45c8-b182-3dc9e209008b/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| August 14, 2025 | Plugin testing and vulnerability detection in the WPBOT have been completed |
| August 14, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| August 20, 2025 | Registered CVE-2025-9111 |
Discovery of the Vulnerability
During security testing of WPBot (versions ≤ current plugin release), researchers found that the FAQ Builder feature does not properly sanitize user input in the FAQ query parameter.
- Plugin: WPBot (ChatBot for WordPress)
- Affected Versions: Lite (≤ current vulnerable release)
- Vulnerable Component: FAQ Builder – query parameter
- Type: Stored XSS
Understanding Stored XSS in WordPress and Real Examples
What is Stored XSS?
Stored XSS occurs when untrusted input is stored on the server and later rendered in a webpage without proper sanitization or escaping, allowing malicious scripts to execute in the browser of users who view the page.
- Persistent: Unlike reflected XSS, it does not require tricking the victim into visiting a malicious URL.
- High Impact: Can affect admins or privileged users, leading to site compromise.
WordPress Context Examples:
- Injecting scripts into plugin-generated fields like forms, chat widgets, or FAQ content.
- Exploiting custom shortcodes or blocks that fail to sanitize user input.
- Targeting multi-author environments, where contributors’ content is reviewed by admins.
The WPBot vulnerability is a clear example where FAQ Builder inputs are stored and executed without sanitization.
Exploiting the Stored XSS
To exploit CVE-2025-8891, an attacker without any Cookies:
POC:
1. Log in to a WordPress account with sufficient privileges 2. Navigate to WPBot Lite > Settings > FAQ Builder. 3. Insert the following payload into the FAQ query field: 123123" onmouseover='alert(777)' 4. Save the FAQ item. 5. When an admin or editor views the FAQ, hovering over the injected content triggers the JavaScript, confirming XSS execution.____
Why it works:
- Input from the FAQ query is directly rendered in the HTML output.
- No sanitization (
esc_html(),esc_attr()) or validation is applied. - Malicious attributes like
onmouseovercan execute arbitrary JavaScript.
Recommendations for Improved Security
For Plugin Developers:
- Sanitize User Input: Apply
sanitize_text_field()oresc_html()to all user inputs. - Escape Output: Use
esc_attr()orwp_kses_post()when rendering user-generated content. - Validate Inputs: Restrict allowed characters and length in the FAQ query field.
- Security Audits: Regularly review code paths for unsanitized input and stored XSS vectors.
For Site Administrators:
- Restrict Privileges: Limit who can add or edit FAQ entries.
- Update Plugins: Apply security patches as soon as they are released.
- Use Security Plugins: Implement Web Application Firewalls (WAF) and monitoring plugins like Wordfence.
- Audit Content: Regularly review FAQ entries and other dynamic content for injected scripts.
- Educate Users: Train contributors and editors on safe content practices.
By taking proactive measures to address CSRF vulnerabilities like CVE-2025-8891 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #MissingAuthorization #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.