Description
The Chatbot for WordPress by Collect.chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_inpost_head_script[synth_header_script]' post meta field in all versions up to, and including, 2.4.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-02-14
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

An authenticated user with Contributor permissions or higher can embed arbitrary JavaScript into the '_inpost_head_script[synth_header_script]' post meta field within the Chatbot for WordPress plugin. Because the plugin does not sanitize input or escape output when saving or displaying this field, the attacker can store malicious scripts that will run in every user's browser when they view the affected post or page. This stored cross‑site scripting flaw allows execution of arbitrary code within site sessions, potentially leading to credential theft, session hijacking, defacement, or phishing attacks.

Affected Systems

The vulnerability exists in all releases of the Chatbot for WordPress by Collect.chat up to and including version 2.4.8. WordPress sites running any of those versions of the plugin (as distributed in the WordPress plugin repository) are affected. The flaw is tied to the plugin’s post meta handling and is independent of the underlying WordPress version.

Risk and Exploitability

With a CVSS score of 6.4 and an EPSS score below 1 %, the flaw is considered moderate severity but unlikely to be actively exploited in the wild. However, because the attack requires only Contributor‑level access, the risk is significant for sites that give many users such permissions. The attacker can target any post or page that contains the injected meta field; once injected, the script runs for all visitors to that content. No remote code execution is possible without user interaction, but the impact on confidentiality, integrity, and availability is heightened by the ability to compromise user sessions.

Generated by OpenCVE AI on April 15, 2026 at 18:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Chatbot for WordPress plugin to the most recent release that removes the vulnerable meta handling.
  • Immediately remove any stored scripts from the '_inpost_head_script[synth_header_script]' meta field in existing posts – you can do this by editing the post meta in the database or using a mass‑edit plugin.
  • Add a Content Security Policy (e.g., via an HTTP header or a security plugin) that disallows inline scripts and restricts the ‘unsafe-inline’ directive, reducing the impact of any future XSS attempts.

Generated by OpenCVE AI on April 15, 2026 at 18:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Tue, 17 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Collectchat
Collectchat chatbot For Wordpress By Collect.chat ⚡️
Wordpress
Wordpress wordpress
Vendors & Products Collectchat
Collectchat chatbot For Wordpress By Collect.chat ⚡️
Wordpress
Wordpress wordpress

Sat, 14 Feb 2026 06:45:00 +0000

Type Values Removed Values Added
Description The Chatbot for WordPress by Collect.chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_inpost_head_script[synth_header_script]' post meta field in all versions up to, and including, 2.4.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Chatbot for WordPress by Collect.chat ⚡️ <= 2.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta Field
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Collectchat Chatbot For Wordpress By Collect.chat ⚡️
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:34:32.341Z

Reserved: 2026-01-08T16:04:12.471Z

Link: CVE-2026-0736

cve-icon Vulnrichment

Updated: 2026-02-17T15:36:31.159Z

cve-icon NVD

Status : Deferred

Published: 2026-02-14T07:16:08.940

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0736

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:30:10Z

Weaknesses