Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Micro.company Form to Chat App form-to-chat allows Stored XSS.This issue affects Form to Chat App: from n/a through <= 1.2.5.
Published: 2026-01-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation that permits stored cross‑site scripting within the Form to Chat App plugin. An attacker can inject malicious scripts that persist in the chat content and execute in the browsers of any user who views the stored messages, potentially leading to credential theft, defacement, or session hijacking. The weakness is a classic CW‑79 input validation flaw with moderate severity.

Affected Systems

WordPress sites that rely on the Micro.company Form to Chat App plugin version 1.2.5 and earlier. The issue exists across all supported WordPress deployments using this plugin.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate threat, while the EPSS score of less than 1% suggests exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, via the user‑controlled chat input field that is stored and later rendered to other users. An attacker who can submit content to the chat feature can place persistent malicious scripts, eliminating the need for direct access to server files.

Generated by OpenCVE AI on April 16, 2026 at 17:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Form to Chat App plugin to a version newer than 1.2.5.
  • Disable or restrict the display of chat messages in public areas until the plugin is updated or additional sanitization is in place.
  • Implement server‑side filtering or output escaping for all user‑submitted content in the chat feature to eliminate stored scripts.

Generated by OpenCVE AI on April 16, 2026 at 17:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Micro.company
Micro.company form To Chat App
Wordpress
Wordpress wordpress
Vendors & Products Micro.company
Micro.company form To Chat App
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Micro.company Form to Chat App form-to-chat allows Stored XSS.This issue affects Form to Chat App: from n/a through <= 1.2.5.
Title WordPress Form to Chat App plugin <= 1.2.5 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Micro.company Form To Chat App
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:56.878Z

Reserved: 2026-01-07T13:43:59.553Z

Link: CVE-2026-22463

cve-icon Vulnrichment

Updated: 2026-01-27T20:37:59.847Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:35.153

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22463

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T18:00:11Z

Weaknesses