CVE-2025-60223: WPBot subscriber file deletion →

CISO Take

WPBot Pro WordPress Chatbot versions 13.6.5 and below contain a path traversal flaw (CWE-22) that allows any authenticated subscriber—the lowest WordPress user tier—to delete arbitrary files from the server. With attack complexity rated low, no user interaction required, and a Changed Scope CVSS indicator, the blast radius extends beyond the plugin itself to core WordPress configuration files, database credentials, and any AI model artifacts or knowledge base documents co-hosted on the same server. No public exploit or CISA KEV listing exists at this time, but the trivially low exploitation bar—just a free subscriber account—means opportunistic scanners will find this quickly on sites with open registration. Patch to the fixed release immediately, gate or disable open user registration, and implement file integrity monitoring on the web root.

Sources: NVD ATLAS CISA KEV Patchstack (patchstack.com)

What is the risk?

Risk is elevated for any WordPress deployment with open user registration enabled. A subscriber account—freely obtainable on most community, e-commerce, or SaaS-adjacent WordPress sites—is sufficient to trigger arbitrary file deletion with no additional privilege escalation. The Changed Scope modifier (S:C) confirms the blast radius extends beyond the WPBot Pro plugin boundary to the broader WordPress instance and any co-located files. Absence from CISA KEV and no confirmed public exploit partially offset urgency, but CVSS 7.7 combined with network-accessible low-complexity exploitation places this firmly in immediate-patch territory for any organization running this plugin with subscriber-level registration open.

How does the attack unfold?

Initial Access

Adversary registers a free subscriber account on the target WordPress site or obtains existing low-privilege credentials via credential stuffing.

AML.T0012

Exploitation

Authenticated subscriber sends a crafted HTTP request embedding path traversal sequences to WPBot Pro's file-handling endpoint, bypassing authorization checks due to CWE-22.

AML.T0049

File Deletion

The unsanitized file path is resolved server-side and the targeted file—wp-config.php, AI knowledge base documents, or model artifacts—is permanently deleted.

AML.T0101

Impact: Service Disruption

Deletion of critical configuration or AI content files renders the WordPress installation and AI chatbot service unavailable, achieving sustained denial of service.

AML.T0029

Initial Access

Adversary registers a free subscriber account on the target WordPress site or obtains existing low-privilege credentials via credential stuffing.

AML.T0012

Exploitation

Authenticated subscriber sends a crafted HTTP request embedding path traversal sequences to WPBot Pro's file-handling endpoint, bypassing authorization checks due to CWE-22.

AML.T0049

File Deletion

The unsanitized file path is resolved server-side and the targeted file—wp-config.php, AI knowledge base documents, or model artifacts—is permanently deleted.

AML.T0101

Impact: Service Disruption

Deletion of critical configuration or AI content files renders the WordPress installation and AI chatbot service unavailable, achieving sustained denial of service.

AML.T0029

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
WPBot	pip	—	No patch

Do you use WPBot? You're affected.

How severe is it?

CVSS 3.1

7.7 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Changed

C None

I None

A High

What should I do?

6 steps

Patch: Update WPBot Pro beyond version 13.6.5; consult the Patchstack advisory for the exact fixed release number.
Registration lockdown: Disable WordPress open user registration if subscriber accounts are not operationally required (Settings > General > uncheck 'Anyone can register').
File system permissions: Restrict the web process (www-data/nginx) to write/delete access only within wp-content/uploads; the process should not have broad delete rights across the web root.
Integrity monitoring: Deploy file integrity monitoring (Wordfence, Sucuri, or host-level AIDE) on the web root to alert on unexpected file deletions.
WAF rules: Apply a rule blocking path traversal sequences (../, ..\) in parameters destined for WPBot Pro endpoints.
Backup validation: Confirm daily backups of WordPress files, wp-config.php, and all AI knowledge base content are operational and can be restored within your RTO.

How is it classified?

DoS Auth Bypass Plugin AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0101 - Data Destruction via AI Agent Tool Invocation

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.5 - AI system availability and resilience

NIST AI RMF

GOVERN 6.2 - Policies and procedures are in place to address AI risks

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2025-60223?

WPBot Pro WordPress Chatbot versions 13.6.5 and below contain a path traversal flaw (CWE-22) that allows any authenticated subscriber—the lowest WordPress user tier—to delete arbitrary files from the server. With attack complexity rated low, no user interaction required, and a Changed Scope CVSS indicator, the blast radius extends beyond the plugin itself to core WordPress configuration files, database credentials, and any AI model artifacts or knowledge base documents co-hosted on the same server. No public exploit or CISA KEV listing exists at this time, but the trivially low exploitation bar—just a free subscriber account—means opportunistic scanners will find this quickly on sites with open registration. Patch to the fixed release immediately, gate or disable open user registration, and implement file integrity monitoring on the web root.

Is CVE-2025-60223 actively exploited?

No confirmed active exploitation of CVE-2025-60223 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-60223?

1. Patch: Update WPBot Pro beyond version 13.6.5; consult the Patchstack advisory for the exact fixed release number. 2. Registration lockdown: Disable WordPress open user registration if subscriber accounts are not operationally required (Settings > General > uncheck 'Anyone can register'). 3. File system permissions: Restrict the web process (www-data/nginx) to write/delete access only within wp-content/uploads; the process should not have broad delete rights across the web root. 4. Integrity monitoring: Deploy file integrity monitoring (Wordfence, Sucuri, or host-level AIDE) on the web root to alert on unexpected file deletions. 5. WAF rules: Apply a rule blocking path traversal sequences (../, ..\) in parameters destined for WPBot Pro endpoints. 6. Backup validation: Confirm daily backups of WordPress files, wp-config.php, and all AI knowledge base content are operational and can be restored within your RTO.

What systems are affected by CVE-2025-60223?

This vulnerability affects the following AI/ML architecture patterns: AI chatbot deployments, WordPress-based conversational AI, RAG-backed chatbot knowledge bases, Web-hosted AI model artifacts.

What is the CVSS score for CVE-2025-60223?

CVE-2025-60223 has a CVSS v3.1 base score of 7.7 (HIGH).

What is the AI security impact?

Affected AI Architectures

AI chatbot deploymentsWordPress-based conversational AIRAG-backed chatbot knowledge basesWeb-hosted AI model artifacts

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0101 Data Destruction via AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.9.5

NIST AI RMF: GOVERN 6.2

OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

Subscriber Arbitrary File Deletion in WPBot Pro Wordpress Chatbot <= 13.6.5 versions.

Exploitation Scenario

An adversary targeting an AI chatbot-enabled WordPress site registers a free subscriber account via the site's public registration form. Using the resulting authenticated session cookie, they probe WPBot Pro's file-handling API endpoints and craft a request embedding path traversal sequences—for example, ../../../../wp-config.php—as the target file parameter. The plugin resolves the path without sanitization and invokes file deletion on the absolute server path. The attacker first deletes wp-config.php to confirm arbitrary file deletion and trigger a site-wide 500-level outage, then proceeds to delete the chatbot's JSON knowledge base files, uploaded training corpora, or any LLM-connected document store in the web root—permanently destroying the AI assistant's context data and causing extended service disruption with no straightforward recovery path absent a validated backup.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.