Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
WP-Chatbot for Messenger plugin authorization bypass in all versions up to 4.9
CVE-2026-3506
Summary
The WP-Chatbot for Messenger plugin has a bug that lets anyone change sensitive settings without logging in. This could allow hackers to take control of your chatbot and redirect conversations to their own account. Update to the latest version (5.0 or higher) to fix this issue.
Original title
The WP-Chatbot for Messenger plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9. This is due to the plugin not properly verifying that a user is au...
Original description
The WP-Chatbot for Messenger plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the site's MobileMonkey API token and company ID options, which can be used to hijack chatbot configuration and redirect visitor conversations to an attacker-controlled MobileMonkey account.
nvd CVSS3.1
5.3
Vulnerability type
CWE-862
Missing Authorization
- https://plugins.trac.wordpress.org/browser/wp-chatbot/tags/4.9/admin/admin.php#L...
- https://plugins.trac.wordpress.org/browser/wp-chatbot/tags/4.9/admin/class-htcc-...
- https://plugins.trac.wordpress.org/browser/wp-chatbot/tags/4.9/inc/MobileMonkeyA...
- https://plugins.trac.wordpress.org/browser/wp-chatbot/tags/4.9/inc/MobileMonkeyA...
- https://plugins.trac.wordpress.org/browser/wp-chatbot/tags/4.9/inc/MobileMonkeyA...
- https://plugins.trac.wordpress.org/browser/wp-chatbot/tags/4.9/inc/class-ht-cc.p...
- https://plugins.trac.wordpress.org/browser/wp-chatbot/trunk/inc/MobileMonkeyApi....
- https://www.wordfence.com/threat-intel/vulnerabilities/id/32cce973-bc3b-45f1-ad4...
Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 21 Mar 2026