CVE-2025-69388
Missing Authorization in Cliengo Chatbot Allows Unauthorized Access
Publication date: 2026-02-20
Last updated on: 2026-02-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cliengo | chatbot | to 3.0.4 (inc) |
| cliengo | cliengo | to 3.0.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-69388 is a Broken Access Control vulnerability in the WordPress Cliengo β Chatbot Plugin versions up to and including 3.0.4.
The issue arises from missing authorization, authentication, or nonce token checks within certain plugin functions.
This allows unprivileged users, such as those with only subscriber-level access, to perform actions that should be restricted to higher-privileged roles.
It is classified under the OWASP Top 10 category A1: Broken Access Control.
How can this vulnerability impact me? :
This vulnerability can allow attackers with low-level privileges to perform unauthorized actions within the Cliengo β Chatbot plugin.
Such unauthorized actions could compromise the security and integrity of your WordPress site by bypassing intended access controls.
Since the vulnerability has a CVSS score of 6.5, it represents a moderate risk and has a reasonable likelihood of exploitation.
Without proper mitigation or patching, attackers could exploit this to manipulate chatbot functions or gain further access.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from missing authorization, authentication, or nonce token checks within certain plugin functions, allowing unprivileged users to perform actions reserved for higher-privileged roles.
Detection would involve monitoring for unauthorized access attempts or actions performed by subscriber-level users that should require higher privileges.
No specific commands or detection tools are provided in the available information.
What immediate steps should I take to mitigate this vulnerability?
No official patch is currently available for this issue.
Patchstack has issued a mitigation rule that can be applied to block attacks targeting this vulnerability until an official patch is released.
Users are advised to implement this mitigation promptly to secure their websites.
Additionally, monitoring and restricting subscriber-level privileges and access can help reduce the risk of exploitation.