CVE-2025-0329: 
WordPress vulnerability analysis and mitigation

The AI ChatBot for WordPress WordPress plugin versions before 6.2.4 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered on January 8, 2025, and was assigned CVE-2025-0329. This security issue affects the plugin's settings functionality, specifically impacting WordPress installations including multisite setups (WPScan, NVD).

The vulnerability stems from improper sanitization and escaping of certain plugin settings. This security flaw allows high-privilege users, such as administrators, to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is explicitly disallowed. The vulnerability has been assigned a CVSS score of 3.5 (low severity) and is classified under CWE-79 (WPScan).

When exploited, this vulnerability allows high-privilege users to inject and store malicious scripts through the plugin's settings interface. The stored XSS payload can then be triggered when other users access the affected pages, potentially leading to unauthorized actions being performed in the context of the victim's browser session (WPScan).

The vulnerability has been patched in version 6.2.4 of the AI ChatBot for WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).