Description
The MxChat – AI Chatbot for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.5.5 via upload filenames. This makes it possible for unauthenticated attackers to extract session values that can subsequently be used to access conversation data.
Published: 2025-12-03
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Update Plugin
AI Analysis

Impact

The MxChat – AI Chatbot for WordPress plugin contains a sensitive information exposure flaw that allows unauthenticated attackers to retrieve session values from uploaded filenames. These session values can then be used to access protected conversation data, effectively enabling unauthorized data access.

Affected Systems

All installations of the MxChat – AI Chatbot & Content Generation for WordPress plugin with a version equal to or below 2.5.5 are affected.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the attack vector is likely unauthenticated, exploiting the plugin’s handling of upload filenames to glean session data. Once obtained, the attacker could pass the session value to request conversation content, bypassing normal access controls.

Generated by OpenCVE AI on April 21, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the MxChat plugin to the latest version (2.6 or later) to eliminate the information exposure flaw.
  • If an immediate update is not possible, disable the file upload feature of the plugin or restrict uploads to authenticated users only to prevent revealing session data.
  • Remove or restrict public access to the plugin’s temporary upload directories so that uploaded filenames cannot be inspected by unauthorized users.

Generated by OpenCVE AI on April 21, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
References

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Wed, 03 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Dec 2025 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Mxchat
Mxchat ai Chatbot For Wordpress
Wordpress
Wordpress wordpress
Vendors & Products Mxchat
Mxchat ai Chatbot For Wordpress
Wordpress
Wordpress wordpress

Wed, 03 Dec 2025 03:45:00 +0000

Type Values Removed Values Added
Description The MxChat – AI Chatbot for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.5.5 via upload filenames. This makes it possible for unauthenticated attackers to extract session values that can subsequently be used to access conversation data.
Title MxChat – AI Chatbot for WordPress <= 2.5.5 - Unauthenticated Information Exposure
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Mxchat Ai Chatbot For Wordpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-22T18:58:43.157Z

Reserved: 2025-10-31T22:16:47.560Z

Link: CVE-2025-12585

cve-icon Vulnrichment

Updated: 2025-12-03T14:45:37.939Z

cve-icon NVD

Status : Deferred

Published: 2025-12-03T04:15:59.650

Modified: 2026-04-22T20:16:31.220

Link: CVE-2025-12585

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:00:11Z

Weaknesses