PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-15610 quantumcloud CVE debrief

The WPBot – AI ChatBot for Live Support, Lead Generation, AI Services plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 8.5.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to trigger arbitrary re-embedding of stored RAG documents, modifying the rag_documents table and consuming the site owner's paid third-party AI API credits (OpenAI, Gemini, OpenRouter, or xAI).

Vendor
quantumcloud
Product
WPBot – AI ChatBot for Live Support, Lead Generation, AI Services
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Site owners using the WPBot – AI ChatBot for Live Support, Lead Generation, AI Services plugin for WordPress, particularly those with subscriber-level access and above, should be aware of this vulnerability and take necessary actions to protect their sites.

Technical summary

The WPBot – AI ChatBot for Live Support, Lead Generation, AI Services plugin for WordPress is vulnerable to authorization bypass due to improper verification of user authorization. This allows authenticated attackers with subscriber-level access and above to re-embed stored RAG documents, modify the rag_documents table, and consume paid third-party AI API credits. The vulnerability affects all versions up to, and including, 8.5.6. Site owners should be aware of the potential for exploitation and take necessary actions to protect their sites.

Defensive priority

Medium priority due to the potential for exploitation by authenticated attackers with subscriber-level access and above.

Recommended defensive actions

  • Update the WPBot – AI ChatBot for Live Support, Lead Generation, AI Services plugin to a version beyond 8.5.6.
  • Restrict access to sensitive areas of the site to prevent exploitation by authenticated attackers.
  • Monitor site activity for suspicious re-embedding of stored RAG documents and modifications to the rag_documents table.
  • Review and adjust API credits and usage to prevent unauthorized consumption.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.

Evidence notes

The CVE record was published on 2026-07-16T09:16:18.280Z and has not been modified since then. The NVD entry is currently available. The WPBot – AI ChatBot for Live Support, Lead Generation, AI Services plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 8.5.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to trigger arbitrary re-embedding of stored RAG documents, modifying the rag_documents table and consuming the site owner's paid third-party AI API credits (OpenAI, Gemini, OpenRouter, or xAI).

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T09:16:18.280Z and has not been modified since then.