AI Chatbot Free Models WordPress Plugin CSV Injection Vulnerability

A CSV injection vulnerability has been identified in the AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant plugin for WordPress, affecting all versions through 1.6.5. The vulnerability arises from inadequate input sanitization in the 'newcodebyte_chatbot_export_messages' function, allowing unauthenticated attackers to insert malicious content into exported CSV files. This could lead to code execution when the files are opened on a local system with a vulnerable configuration.

Impact

Exploitation of this vulnerability could result in unauthorized code execution on a user's local system, triggered by opening the manipulated CSV file.

Reproduction

To reproduce this vulnerability, export chatbot messages using the 'Export' feature in the WordPress admin panel. Choose the CSV format for the export. The exported file will contain the injected malicious content, which can execute code when the CSV file is opened in a program that supports CSV formula execution, such as Microsoft Excel.

Remediation

Users are advised to update the plugin to version 1.6.6 or later, where this vulnerability has been patched.