CVE-2026-2987
Stored XSS in Simple Ajax Chat WordPress Plugin Allows Script Injection
Publication date: 2026-03-12
Last updated on: 2026-03-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | simple_ajax_chat | to 20260217 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Simple Ajax Chat plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 20260217. This vulnerability arises because the plugin does not properly sanitize or escape the input received via the 'c' parameter. As a result, an unauthenticated attacker can inject malicious web scripts into chat messages or pages. These scripts will execute whenever any user accesses the affected page, potentially compromising their security.
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary scripts in the context of the affected website for any user who views the injected content. This can lead to theft of user credentials, session hijacking, defacement of the website, or distribution of malware. Since the attack can be performed without authentication, it poses a significant risk to all users of the site.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Stored Cross-Site Scripting (XSS) via the 'c' parameter in the Simple Ajax Chat WordPress plugin. Detection involves identifying if your system is running a vulnerable version of the plugin (up to and including 20260217) and checking for suspicious or malicious script injections in chat messages or pages.
You can detect attempts or presence of this vulnerability by searching for suspicious script tags or encoded payloads in the 'c' parameter or chat message content stored in your WordPress database or logs.
- Use grep or similar tools to search web server logs for suspicious payloads, e.g., grep -i '<script' /path/to/logs/access.log
- Query the WordPress database for the 'c' parameter or chat message content containing script tags, e.g., using SQL: SELECT * FROM wp_simple_ajax_chat WHERE c LIKE '%<script%';
- Use web vulnerability scanners or tools that detect stored XSS vulnerabilities targeting the affected plugin.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the Simple Ajax Chat WordPress plugin to version 20260301 or later, which includes fixes for URL sanitization and link handling that address this vulnerability.
Ensure your WordPress installation and PHP version meet the updated plugin requirements (WordPress 4.7 or higher and PHP 5.6.20 or higher) to maintain compatibility and security.
If immediate update is not possible, consider disabling the Simple Ajax Chat plugin temporarily to prevent exploitation.
Review and sanitize any stored chat messages or content that may contain malicious scripts to prevent execution upon user access.