Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alex Volkov Chatter allows Stored XSS. This issue affects Chatter: from n/a through 1.0.1.
Published: 2025-01-16
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation in the Alex Volkov Chatter WordPress plugin allows attackers to store malicious scripts in comments or form fields, which are later rendered to users without proper encoding. This stored XSS can lead to execution of arbitrary client‑side code, compromising user sessions, stealing credentials, and revealing site secrets. The weakness follows CWE‑79 and affects all versions up to and including 1.0.1.

Affected Systems

WordPress sites that have the Chatter plugin from Alex Volkov installed, versions 1.0.1 and earlier are vulnerable. Any installation with these plugin versions is at risk regardless of other WordPress configuration.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity for this vulnerability. The EPSS score of less than 1% suggests that, at present, exploitation attempts are unlikely to occur. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it by submitting a malicious comment or form entry that is stored and later served to any user who views that content, making the risk significant for sites with active comment features.

Generated by OpenCVE AI on May 1, 2026 at 20:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Chatter plugin to the latest available version.
  • If an immediate update is not possible, temporarily disable or delete the plugin until a patch can be applied.
  • After applying the patch, review the site for any stored malicious scripts that may have been inserted before the update.

Generated by OpenCVE AI on May 1, 2026 at 20:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3396 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alex Volkov Chatter allows Stored XSS. This issue affects Chatter: from n/a through 1.0.1.
History

Tue, 28 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alex Volkov Chatter chatter allows Stored XSS.This issue affects Chatter: from n/a through <= 1.0.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alex Volkov Chatter allows Stored XSS. This issue affects Chatter: from n/a through 1.0.1.
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alex Volkov Chatter allows Stored XSS. This issue affects Chatter: from n/a through 1.0.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alex Volkov Chatter chatter allows Stored XSS.This issue affects Chatter: from n/a through <= 1.0.1.
References

Fri, 17 Jan 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Jan 2025 20:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alex Volkov Chatter allows Stored XSS. This issue affects Chatter: from n/a through 1.0.1.
Title WordPress Chatter plugin <= 1.0.1 - CSRF to Stored XSS vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:19.149Z

Reserved: 2025-01-16T11:29:46.483Z

Link: CVE-2025-23760

cve-icon Vulnrichment

Updated: 2025-01-17T17:37:17.172Z

cve-icon NVD

Status : Deferred

Published: 2025-01-16T21:15:18.257

Modified: 2026-04-28T19:28:59.057

Link: CVE-2025-23760

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T20:15:24Z

Weaknesses