CVE-2025-0329: 
WordPress vulnerability analysis and mitigation

The AI ChatBot for WordPress WordPress plugin versions before 6.2.4 contains a stored Cross-Site Scripting (XSS) vulnerability, discovered on January 8, 2025, and assigned CVE-2025-0329. This security issue affects the plugin's settings functionality, specifically impacting WordPress installations including multisite setups (WPScan, NVD).

The vulnerability stems from improper sanitization and escaping of certain plugin settings. The security flaw has been assigned a CVSS 3.1 score of 4.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified under CWE-79 and specifically affects the plugin's settings interface (NVD, Wiz).

When exploited, this vulnerability allows high-privilege users to inject and store malicious scripts through the plugin's settings interface. The stored XSS payload can then be triggered when other users access the affected pages, potentially leading to unauthorized actions being performed in the context of the victim's browser session (WPScan).

The vulnerability has been patched in version 6.2.4 of the AI ChatBot for WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).