Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in alexvtn Chatbox Manager wa-chatbox-manager allows Stored XSS.This issue affects Chatbox Manager: from n/a through <= 1.2.6.
Published: 2025-08-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Stored Cross‑Site Scripting flaw where user input is improperly neutralized when generating web pages. An attacker can store malicious scripts in the WordPress Chatbox Manager plugin and have them executed in the browsers of any user who views the affected content. This issue is classified under CWE‑79 and can compromise the confidentiality and integrity of the site by allowing arbitrary script execution, session hijacking or defacement.

Affected Systems

The affected product is the Chatbox Manager plugin (wa‑chatbox‑manager) developed by alexvtn. All released versions up to and including 1.2.6 are vulnerable; versions prior to the first release are also affected. Site operators using any of these versions of the plugin are at risk.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. The EPSS score is less than 1 %, suggesting that the probability of exploitation is low, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is injection of malicious JavaScript into stored data that the plugin renders without proper escaping – an attacker who can create or modify chatbox content can achieve execution of arbitrary scripts in the browsers of visitors to that content.

Generated by OpenCVE AI on April 30, 2026 at 03:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chatbox Manager to a version newer than 1.2.6 or apply any vendor patch that addresses the XSS issue.
  • If an upgrade is not immediately possible, disable or uninstall the Chatbox Manager plugin to prevent the exploitation of the flaw.
  • Configure the plugin or the WordPress instance to sanitize or whitelist input for any chatbox content, ensuring that all user‑supplied data is properly encoded before rendering.

Generated by OpenCVE AI on April 30, 2026 at 03:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25922 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in alexvtn Chatbox Manager allows Stored XSS. This issue affects Chatbox Manager: from n/a through 1.2.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in alexvtn Chatbox Manager allows Stored XSS. This issue affects Chatbox Manager: from n/a through 1.2.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in alexvtn Chatbox Manager wa-chatbox-manager allows Stored XSS.This issue affects Chatbox Manager: from n/a through <= 1.2.6.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Thu, 28 Aug 2025 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Alexvtn
Alexvtn chatbox Manager
Wordpress
Wordpress wordpress
Vendors & Products Alexvtn
Alexvtn chatbox Manager
Wordpress
Wordpress wordpress

Wed, 27 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 Aug 2025 18:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in alexvtn Chatbox Manager allows Stored XSS. This issue affects Chatbox Manager: from n/a through 1.2.6.
Title WordPress Chatbox Manager Plugin <= 1.2.6 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Alexvtn Chatbox Manager
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:35:30.116Z

Reserved: 2025-08-27T16:19:10.126Z

Link: CVE-2025-58211

cve-icon Vulnrichment

Updated: 2025-08-27T18:52:11.128Z

cve-icon NVD

Status : Deferred

Published: 2025-08-27T18:15:49.190

Modified: 2026-04-23T15:33:18.727

Link: CVE-2025-58211

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T03:15:26Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')