CVE-2025-11576
BaseFortify
Publication date: 2025-10-24
Last updated on: 2025-10-27
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | chatbot-ai-free-models | 1.6.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1236 | The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a CSV Injection in the AI Chatbot Free Models β Customer Support, Live Chat, Virtual Assistant plugin for WordPress, affecting all versions up to 1.6.5. It occurs because the 'newcodebyte_chatbot_export_messages' function does not properly sanitize input, allowing unauthenticated attackers to insert malicious content into exported CSV files. When these files are downloaded and opened on a local system with a vulnerable configuration, it can lead to code execution.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing unauthenticated attackers to execute code on your local system when you open a maliciously crafted exported CSV file from the plugin. This could lead to unauthorized actions or compromise of your system if the CSV file is opened in a vulnerable environment.