CVE-2026-40788: WordPress ChatBot plugin <= 7.9.7 - Broken Access Control vulnerability
Subscriber Broken Access Control in ChatBot <= 7.9.7 versions.
Metrics
- CVSS v3.1
- 7.1
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A broken access control vulnerability affects the ChatBot plugin for WordPress (versions 7.9.7 and earlier), developed by QuantumCloud. The flaw is reachable over the network and requires only a low-privilege account (such as a standard subscriber), with no additional user interaction needed. Successful exploitation allows an attacker to tamper with plugin data and disrupt the availability of the chatbot service. HarborGuard is tracking the upstream advisory and will make a patched-image rebuild available as soon as a fix version is published.
HarborGuard Coverage
Detection for CVE-2026-40788 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built WordPress images. Coverage extends to images in both connected registries and CI/CD pipeline stages.
AvailableHarborGuard is capable of scoring this CVE at 7.1 HIGH using the published CVSS v3.1 vector and weighting it against each customer environment's compliance policy. Routed findings are directed to the appropriate inbox within the customer org based on configured ownership rules.
AvailableBecause no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a remediated release appears. Until then, compensating controls such as network-policy isolation or role restriction can be applied manually within each environment.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must be able to reach the WordPress service over the network; no local or physical access is required.
- AuthenticationRequired
A low-privilege account, such as a standard subscriber role, is sufficient to trigger the vulnerability.
- Victim interactionNot required
No victim interaction is needed; the attacker can exploit the flaw directly without social engineering.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific environmental factors.
Blast Radius
- An attacker with subscriber-level access can modify chatbot plugin data, altering conversation flows or stored configuration.
- The chatbot service availability can be disrupted, causing the plugin to become non-functional for end users.
- No direct confidentiality impact is indicated; stored records and session data are not exposed through this vulnerability.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-40788 is active, matching this vulnerability against all customer images that include the QuantumCloud ChatBot plugin at affected versions. Because no upstream fix has been published, the advisory is re-evaluated on every ingest cycle so that a patched-image rebuild becomes available automatically once a remediated version ships. In the interim, customers can reduce exposure by applying network policies that restrict access to the WordPress installation to trusted roles only, tightening role-based access controls to limit subscriber-level capabilities on chatbot endpoints, and flagging affected images in the HarborGuard compliance dashboard for manual review. For customers with auto-remediation enabled, a rebuild, regression run, and PR against affected workloads will be triggered as soon as a fix version is published upstream.
- QuantumCloud / ChatBot≤ 7.9.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H