Impact
The collectchat WordPress plugin, up to version 2.4.9, contains an unauthenticated Cross Site Scripting vulnerability that allows an attacker to inject malicious scripts into the page. The flaw is a client‑side injection flaw and is classified as CWE‑79. This vulnerability does not explicitly state any additional impacts beyond script injection.
Affected Systems
WordPress sites that have the collectchat plugin installed with version 2.4.9 or earlier are affected. The plugin is named collectchat:collectchat and any deployment of those versions is at risk.
Risk and Exploitability
The CVSS score of 7.1 indicates a high impact risk. The EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. It is an unauthenticated vulnerability, so no authentication is required to exploit it. Based on the description, it is inferred that an attacker could exploit it via direct web requests to the plugin’s input endpoints, although the specific attack vector is not detailed in the CVE.
OpenCVE Enrichment