CVE-2025-12448 - Vulnerability Details

- Smartsupp – live chat, AI shopping assistant and chatbots <= 3.9.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Description

The Smartsupp – live chat, AI shopping assistant and chatbots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'code' parameter in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: 2026-02-19

Score: 6.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows an authenticated user with Subscriber or higher privileges to supply malicious content through the 'code' parameter in the Smartsupp plugin. The lack of sanitization and escaping means the injected scripts are stored and later executed in the context of any user who loads the affected page, potentially leading to data theft, session hijacking, or defacement. This is a classic Stored XSS flaw identified as CWE‑79.

Affected Systems

All installations of the Smartsupp – live chat, AI shopping assistant and chatbots WordPress plugin with a version number less than or equal to 3.9.1 are affected. No later versions were reported to contain the flaw.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate impact, and the EPSS score is below 1%, suggesting a very low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Exploitation requires authenticated access to the WordPress site, meaning an attacker must obtain at least Subscriber level credentials to inject the payload. Once injected, the stored script runs for all users visiting the affected page, expanding the attack surface across the user base.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

smartsupp

Smartsupp – live chat, AI shopping assistant and chatbots

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.9.1

No data.

Vendor Product Confidence Versions

Smartsupp

Smartsupp – Live Chat, Ai Shopping Assistant And Chatbots

100%

Version	Status	Scheme	Platform
`[0,3.9.1]`	affected	semver	—

Wordpress

70%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Smartsupp plugin to the latest version that removes the vulnerability (at least 3.9.2 or newer).
If an update cannot be applied immediately, revoke Subscriber or higher level privileges from accounts that should not access the chat functionality, effectively preventing the attack vector.
After updating or restricting access, review all content passed to the 'code' parameter and ensure it is properly sanitized or escaped before storage or rendering.

Generated by OpenCVE AI on April 22, 2026 at 11:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00054.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/smartsupp-live-chat/tags/3.2/admin/class-smartsupp-admin.php#L105
https://plugins.trac.wordpress.org/browser/smartsupp-live-chat/tags/3.2/public/class-smartsupp.php#L177
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3398777%40smartsupp-live-chat&new=3398777%40smartsupp-live-chat&sfp_email=&sfph_mail=
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3402922%40smartsupp-live-chat&new=3402922%40smartsupp-live-chat&sfp_email=&sfph_mail=
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3403904%40smartsupp-live-chat&new=3403904%40smartsupp-live-chat&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/3c298653-7f79-4ee2-89c8-8a6d0e1446b8?source=cve

History

Thu, 19 Feb 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 19 Feb 2026 10:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Smartsupp Smartsupp smartsupp – Live Chat, Ai Shopping Assistant And Chatbots Wordpress Wordpress wordpress
Vendors & Products		Smartsupp Smartsupp smartsupp – Live Chat, Ai Shopping Assistant And Chatbots Wordpress Wordpress wordpress

Thu, 19 Feb 2026 04:15:00 +0000

Type	Values Removed	Values Added
Description		The Smartsupp – live chat, AI shopping assistant and chatbots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'code' parameter in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title		Smartsupp – live chat, AI shopping assistant and chatbots <= 3.9.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/smartsupp-live-chat/tags/3.2/admin/class-smartsupp-admin.php#L105 https://plugins.trac.wordpress.org/browser/smartsupp-live-chat/tags/3.2/public/class-smartsupp.php#L177 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3398777%40smartsupp-live-chat&new=3398777%40smartsupp-live-chat&sfp_email=&sfph_mail= https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3402922%40smartsupp-live-chat&new=3402922%40smartsupp-live-chat&sfp_email=&sfph_mail= https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3403904%40smartsupp-live-chat&new=3403904%40smartsupp-live-chat&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/3c298653-7f79-4ee2-89c8-8a6d0e1446b8?source=cve
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Smartsupp Smartsupp – Live Chat, Ai Shopping Assistant And Chatbots

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-02-19T03:25:11.994Z

Updated: 2026-04-08T16:47:23.191Z

Reserved: 2025-10-28T20:17:58.812Z

Link: CVE-2025-12448

Vulnrichment

Updated: 2026-02-19T17:04:45.825Z

NVD

Status : Deferred

Published: 2026-02-19T07:17:28.040

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12448

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T12:00:05Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object