CVE-2025-9111: 
WordPress vulnerability analysis and mitigation

The AI ChatBot for WordPress (WPBOT) plugin before version 7.1.0 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and disclosed on August 19, 2025, and is tracked as CVE-2025-9111. The issue affects the plugin's settings functionality and impacts WordPress installations using this plugin in versions prior to 7.1.0 (WPScan, NVD).

The vulnerability stems from insufficient sanitization and escaping of certain plugin settings. This security flaw specifically affects the FAQ Builder section within the FAQ Query Settings. The vulnerability has been assigned a CVSS score of 3.5 (Low), and is classified under CWE-79 (Cross-Site Scripting). A proof of concept demonstrates that the vulnerability can be exploited by inserting malicious JavaScript code in the FAQ Query Settings section (WPScan).

The vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is explicitly disallowed, such as in multisite setups. When successfully exploited, the vulnerability could lead to the execution of arbitrary web scripts whenever a user accesses an affected page (WPScan).

The vulnerability has been fixed in version 7.1.0 of the AI ChatBot for WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).