Description
The TalkJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 0.1.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2026-02-19
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via admin settings
Action: Apply Update
AI Analysis

Impact

The TalkJS WordPress plugin allows authenticated users with administrator or higher privileges to store malicious scripts in the welcomeMessage field. Those scripts are delayed in a database entry and executed whenever another user views the affected page. This stored cross‑site scripting can lead to session hijacking, defacement, or the delivery of malware to users who view the page.

Affected Systems

All TalkJS plugin installations up to and including version 0.1.15 on WordPress multisite setups or on installations where the unfiltered_html feature has been disabled are affected. The flaw resides in standard administrative settings and is not present in later releases.

Risk and Exploitability

With a CVSS score of 4.4, the vulnerability is of moderate severity. The EPSS score is below 1 %, indicating a low probability of exploitation in the near term, and it is not listed in CISA's KEV catalog. The attack requires the attacker to be a logged‑in administrator who can modify the welcomeMessage field; once the payload is stored, any site visitor who loads the affected page will execute the script. This grants the attacker powerful client‑side capabilities without the need to exploit backend code or user credentials beyond administrative access.

Generated by OpenCVE AI on April 15, 2026 at 15:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the TalkJS plugin to a version newer than 0.1.15 where the input is properly sanitized and output is escaped.
  • If an update is not yet available, disable the TalkJS plugin or the specific welcomeMessage setting until a fix is released.
  • As a temporary mitigation, re‑enable WordPress's unfiltered_html feature or restrict the administrator role so that only trusted users can modify plugin settings.

Generated by OpenCVE AI on April 15, 2026 at 15:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Tue, 24 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Talkjs
Talkjs talkjs
Wordpress
Wordpress wordpress
Vendors & Products Talkjs
Talkjs talkjs
Wordpress
Wordpress wordpress

Thu, 19 Feb 2026 05:00:00 +0000

Type Values Removed Values Added
Description The TalkJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 0.1.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title TalkJS <= 0.1.15 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'welcomeMessage' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Talkjs Talkjs
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-14T15:10:31.175Z

Reserved: 2026-01-16T17:11:29.252Z

Link: CVE-2026-1055

cve-icon Vulnrichment

Updated: 2026-02-23T18:47:21.168Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T07:17:43.543

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1055

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:15:10Z

Weaknesses