CVE-2024-13091
📋 TL;DR
The WPBot Pro WordPress Chatbot plugin has a critical vulnerability allowing unauthenticated attackers to upload arbitrary files due to missing file type validation. This affects all WordPress sites using WPBot Pro plugin versions up to 13.5.4, potentially leading to remote code execution. The exploit requires both the ChatBot Conversational Forms plugin and Conversational Form Builder Pro addon to be installed.
💻 Affected Systems
- WPBot Pro WordPress Chatbot plugin
- ChatBot Conversational Forms plugin
- Conversational Form Builder Pro addon
📦 What is this software?
Wpot by Wpbot
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise via remote code execution, allowing attackers to install backdoors, steal data, deface websites, or use the server for further attacks.
Likely Case
Attackers upload web shells to gain persistent access, deface websites, or install cryptocurrency miners.
If Mitigated
File uploads blocked, but attackers may still attempt exploitation attempts visible in logs.
🎯 Exploit Status
Exploit is straightforward - attackers can upload malicious files without authentication using the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 13.5.5 or later
Vendor Advisory: https://www.wpbot.pro/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find WPBot Pro plugin. 4. Update to version 13.5.5 or later. 5. Verify ChatBot Conversational Forms and Conversational Form Builder Pro are also updated if separate updates exist.
🔧 Temporary Workarounds
Disable vulnerable plugins
allTemporarily disable WPBot Pro, ChatBot Conversational Forms, and Conversational Form Builder Pro plugins until patched.
wp plugin deactivate wpbot-pro
wp plugin deactivate chatbot-conversational-forms
wp plugin deactivate conversational-form-builder-pro
Web Application Firewall rule
linuxBlock requests to the vulnerable endpoint qcld_wpcfb_file_upload.
# Example mod_security rule: SecRule REQUEST_URI "@contains qcld_wpcfb_file_upload" "id:1001,phase:1,deny,status:403"
🧯 If You Can't Patch
- Immediately disable all three vulnerable plugins completely.
- Restrict file upload permissions in WordPress to authenticated users only via .htaccess or web server configuration.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > WPBot Pro version. If version is 13.5.4 or lower and both required plugins are active, the site is vulnerable.Check Version:
wp plugin get wpbot-pro --field=versionVerify Fix Applied:
Verify WPBot Pro plugin version is 13.5.5 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=qcld_wpcfb_file_upload
- File uploads of unusual file types (php, exe, etc.) to upload directories
- Increased file upload activity from single IPs
Network Indicators:
- HTTP POST requests to admin-ajax.php with file upload parameters
- Traffic spikes to upload directories
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND method="POST" AND params.action="qcld_wpcfb_file_upload"