{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32499", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:07.663Z", "datePublished": "2026-03-25T16:15:00.491Z", "dateUpdated": "2026-04-29T09:52:00.317Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "chatbot", "product": "ChatBot", "vendor": "QuantumCloud", "versions": [{"changes": [{"at": "7.8.0", "status": "unaffected"}], "lessThanOrEqual": "<= 7.7.9", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:38.109Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in QuantumCloud ChatBot chatbot allows Blind SQL Injection.<p>This issue affects ChatBot: from n/a through <= 7.7.9.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in QuantumCloud ChatBot chatbot allows Blind SQL Injection.This issue affects ChatBot: from n/a through <= 7.7.9."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:00.317Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/chatbot/vulnerability/wordpress-chatbot-plugin-7-7-9-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress ChatBot plugin <= 7.7.9 - SQL Injection vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T13:47:03.611349Z", "id": "CVE-2026-32499", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:47:10.985Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32499", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T13:47:03.611349Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:41:49.564Z"}}], "cna": {"title": "WordPress ChatBot plugin <= 7.7.9 - SQL Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "QuantumCloud", "product": "ChatBot", "versions": [{"status": "affected", "changes": [{"at": "7.8.0", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 7.7.9"}], "packageName": "chatbot", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:38.109Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/chatbot/vulnerability/wordpress-chatbot-plugin-7-7-9-sql-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in QuantumCloud ChatBot chatbot allows Blind SQL Injection.This issue affects ChatBot: from n/a through <= 7.7.9.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in QuantumCloud ChatBot chatbot allows Blind SQL Injection.<p>This issue affects ChatBot: from n/a through <= 7.7.9.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:00.317Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32499", "state": "PUBLISHED", "dateUpdated": "2026-04-29T09:52:00.317Z", "dateReserved": "2026-03-12T11:12:07.663Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:15:00.491Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in QuantumCloud ChatBot chatbot allows Blind SQL Injection.This issue affects ChatBot: from n/a through <= 7.7.9."}, {"lang": "es", "value": "La vulnerabilidad de Neutralizaci\u00f3n Inadecuada de Elementos Especiales utilizados en un Comando SQL ('Inyecci\u00f3n SQL') en el chatbot QuantumCloud ChatBot permite Inyecci\u00f3n SQL Ciega. Este problema afecta a ChatBot: desde n/a hasta &lt;= 7.7.9."}], "id": "CVE-2026-32499", "lastModified": "2026-04-24T16:35:20.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:17:01.817", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/chatbot/vulnerability/wordpress-chatbot-plugin-7-7-9-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.7.9]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "ChatBot", "source": "cna", "vendor": "QuantumCloud"}, "product": "chatbot", "vendor": "quantumcloud"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T16:01:22.180306+00:00", "value": {"mitigation_remediation": ["Upgrade the QuantumCloud ChatBot plugin to the latest version (\u22657.8.0) as soon as possible.", "If an upgrade cannot be performed immediately, disable the plugin until a patch is applied.", "Restrict external access to the plugin\u2019s endpoints or enforce authenticated usage where feasible.", "Apply input validation or WAF rules to block SQL injection patterns targeting the plugin."], "summary": {"action": "Immediate Patch", "impact": "SQL Injection (Database Compromise)"}, "threat_synthesis": {"affected_systems": "Any WordPress site running the QuantumCloud ChatBot plugin with versions up to and including 7.7.9 is affected. This includes all installations from the earliest release through 7.7.9, as the vulnerability is present in every version within that range.", "description_and_impact": "An attacker can inject malformed SQL into the QuantumCloud ChatBot WordPress plugin, causing the underlying database to execute unintended commands. The vulnerability derives from improper neutralization of special elements in SQL statements, enabling blind SQL injection (CWE\u201189). This allows an unauthenticated attacker to read or modify database contents, potentially leading to data exfiltration or further exploitation if the database user holds elevated privileges.", "risk_and_exploitability": "The CVSS score of 9.3 denotes a high severity, reflecting the potential for significant data loss or manipulation. The EPSS score is below 1%, indicating that widespread exploitation is unlikely at present, and the vulnerability is not listed in CISA's KEV catalog. The attack vector is inferred to be via standard HTTP requests to the plugin\u2019s functionality that accepts unsanitized input; no prior authentication is required, enabling public attackers to trigger the blind SQL injection."}}}}, "created": "2026-03-25T21:43:29.444192+00:00", "updated": "2026-03-27T09:31:02.625149+00:00", "vendors": ["quantumcloud", "quantumcloud$PRODUCT$chatbot", "wordpress", "wordpress$PRODUCT$wordpress"]}