Description
The Simple Ajax Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'c' parameter in versions up to, and including, 20260217 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-03-12
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

The Simple Ajax Chat plugin for WordPress is susceptible to a stored cross‑site scripting (XSS) flaw triggered by the 'c' parameter. Input supplied through this parameter is neither properly sanitized nor escaped before being saved and displayed. This allows an unauthenticated attacker to embed arbitrary JavaScript into chat message pages. When a user loads a page that contains the malicious content, the injected script runs in the context of the victim's browser, potentially exposing the site to web‑script attacks.

Affected Systems

The vulnerability affects the Simple Ajax Chat plugin provided by specialk:Simple Ajax Chat – Add a Fast, Secure Chat Box. All releases up to and including version 20260217 are impacted. Users running any of these versions are at risk.

Risk and Exploitability

CVSS v3.1 score of 6.1 indicates a moderate severity with potential for widespread impact. EPSS score is reported as less than 1%, suggesting a low probability of real‑world exploitation at present. The vulnerability is not listed in CISA's KEV catalog. Exploitation requires an unauthenticated user to submit a request with a malicious 'c' parameter value to the plugin's endpoint; no authentication or special privileges are needed, but the attacker must be able to target the affected WordPress site.

Generated by OpenCVE AI on March 18, 2026 at 14:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Simple Ajax Chat to a version newer than 20260217
  • If an update is unavailable, consider disabling the plugin until a fix is released
  • Monitor the sites for unusual script activity and ensure content security policies block unexpected inline scripts

Generated by OpenCVE AI on March 18, 2026 at 14:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Specialk
Specialk simple Ajax Chat – Add A Fast, Secure Chat Box
Wordpress
Wordpress wordpress
Vendors & Products Specialk
Specialk simple Ajax Chat – Add A Fast, Secure Chat Box
Wordpress
Wordpress wordpress

Thu, 12 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 12:45:00 +0000

Type Values Removed Values Added
Description The Simple Ajax Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'c' parameter in versions up to, and including, 20260217 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Simple Ajax Chat <= 20260217 - Unauthenticated Stored Cross-Site Scripting via 'c'
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Specialk Simple Ajax Chat – Add A Fast, Secure Chat Box
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-03-12T13:06:05.621Z

Reserved: 2026-02-22T18:02:43.332Z

Link: CVE-2026-2987

cve-icon Vulnrichment

Updated: 2026-03-12T13:05:58.901Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-12T13:16:14.370

Modified: 2026-03-12T21:07:53.427

Link: CVE-2026-2987

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:49:50Z

Weaknesses