Description
The AhaChat Messenger Marketing WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Published: 2026-01-26
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The AhaChat Messenger Marketing WordPress plugin through version 1.1 fails to sanitize and escape a user‑supplied parameter before rendering it back to the page, resulting in a reflected Cross‑Site Scripting vulnerability. An attacker could embed malicious JavaScript in a crafted link; when an administrator views the page, the script executes in the context of the admin user, potentially allowing session hijacking, credential theft, or other malicious actions on the site. The lack of output encoding further enables the attacker to execute scripts that can compromise the admin session.

Affected Systems

WordPress sites running the AhaChat Messenger Marketing plugin, any version up to and including 1.1. No vendor product names beyond the plugin itself are listed.

Risk and Exploitability

The CVSS score of 7.1 indicates a high‑severity flaw. The EPSS score is below 1%, reflecting a low but non‑zero probability of exploitation. The vulnerability is not currently listed in the CISA KEV catalog, suggesting no public exploits are known. Exposures typically occur via a crafted URL that an admin might visit; the limited attack surface keeps the risk moderate, yet the potential for elevated XSS impact warrants prompt remediation.

Generated by OpenCVE AI on April 28, 2026 at 09:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the AhaChat Messenger Marketing plugin to a version newer than 1.1 where the problematic parameter is properly sanitized and encoded.
  • If an upgrade is not immediately possible, restrict access to the plugin’s admin pages to trusted users and discourage them from visiting suspicious links.
  • Configure a Content Security Policy that forbids inline scripts and limits script sources to trusted domains to mitigate the impact of any reflected XSS.

Generated by OpenCVE AI on April 28, 2026 at 09:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 26 Jan 2026 06:30:00 +0000

Type Values Removed Values Added
Description The AhaChat Messenger Marketing WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Title AhaChat Messenger Marketing <= 1.1 - Reflected XSS
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-04-02T12:39:54.729Z

Reserved: 2025-12-09T08:58:04.821Z

Link: CVE-2025-14316

cve-icon Vulnrichment

Updated: 2026-01-26T14:52:54.997Z

cve-icon NVD

Status : Deferred

Published: 2026-01-26T07:16:06.383

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14316

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T09:45:28Z

Weaknesses