PatchSiren cyber security CVE debrief
CVE-2026-15610 quantumcloud CVE debrief
The WPBot – AI ChatBot for Live Support, Lead Generation, AI Services plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 8.5.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to trigger arbitrary re-embedding of stored RAG documents, modifying the rag_documents table and consuming the site owner's paid third-party AI API credits (OpenAI, Gemini, OpenRouter, or xAI).
- Vendor
- quantumcloud
- Product
- WPBot – AI ChatBot for Live Support, Lead Generation, AI Services
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Site owners using the WPBot – AI ChatBot for Live Support, Lead Generation, AI Services plugin for WordPress, particularly those with subscriber-level access and above, should be aware of this vulnerability and take necessary actions to protect their sites.
Technical summary
The WPBot – AI ChatBot for Live Support, Lead Generation, AI Services plugin for WordPress is vulnerable to authorization bypass due to improper verification of user authorization. This allows authenticated attackers with subscriber-level access and above to re-embed stored RAG documents, modify the rag_documents table, and consume paid third-party AI API credits. The vulnerability affects all versions up to, and including, 8.5.6. Site owners should be aware of the potential for exploitation and take necessary actions to protect their sites.
Defensive priority
Medium priority due to the potential for exploitation by authenticated attackers with subscriber-level access and above.
Recommended defensive actions
- Update the WPBot – AI ChatBot for Live Support, Lead Generation, AI Services plugin to a version beyond 8.5.6.
- Restrict access to sensitive areas of the site to prevent exploitation by authenticated attackers.
- Monitor site activity for suspicious re-embedding of stored RAG documents and modifications to the rag_documents table.
- Review and adjust API credits and usage to prevent unauthorized consumption.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
Evidence notes
The CVE record was published on 2026-07-16T09:16:18.280Z and has not been modified since then. The NVD entry is currently available. The WPBot – AI ChatBot for Live Support, Lead Generation, AI Services plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 8.5.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to trigger arbitrary re-embedding of stored RAG documents, modifying the rag_documents table and consuming the site owner's paid third-party AI API credits (OpenAI, Gemini, OpenRouter, or xAI).
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T09:16:18.280Z and has not been modified since then.