CVE-2024-13091: 
WordPress vulnerability analysis and mitigation

The WPBot Pro Wordpress Chatbot plugin for WordPress (versions up to 13.5.4) contains a critical vulnerability identified as CVE-2024-13091. The vulnerability was discovered by István Márton and publicly disclosed on January 21, 2025. This security flaw affects the plugin's file upload functionality and impacts websites using WPBot Pro along with the ChatBot Conversational Forms plugin and the Conversational Form Builder Pro addon plugin (NVD).

The vulnerability stems from missing file type validation in the 'qcldwpcfbfile_upload' function. This security flaw has been assigned a CVSS v3.1 score of 9.8 (Critical), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) (Wordfence).

The vulnerability allows unauthenticated attackers to upload arbitrary files to the affected site's server, potentially enabling remote code execution. This poses a significant security risk as it could lead to complete server compromise (NVD).

Website administrators running affected versions of WPBot Pro should upgrade to a version newer than 13.5.4 to address this vulnerability (NVD).