CVE-2026-2987 WordPress — Exploit & Vulnerability Details MEDIUM

Parameter	Value
CVSS	6.1 (MEDIUM)
Type	CWE-79 (Cross-Site Scripting (XSS))
Vendor	WordPress
Public PoC	No

The Simple Ajax Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'c' parameter in versions up to, and including, 20260217 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Attack Parameters

Attack Vector

Network

Can be exploited remotely

Attack Complexity

Low

Easy to exploit

Privileges Required

None

No privileges needed

User Interaction

Required

User action required

Impact Assessment

Confidentiality

Low

Partial data leak

Integrity

Low

Partial data modification

Availability

None

No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-79 Cross-Site Scripting (XSS)

References 2

https://plugins.trac.wordpress.org/changeset/3472258/simple-ajax-chat

security@wordfence.com

https://www.wordfence.com/threat-intel/vulnerabilities/id/3c07dec6-ddb7-45df-8b…

security@wordfence.com

Share Post Share Share Share

Related Vulnerabilities

CVE-2026-2687

WordPress

None

CVE-2025-15473

WordPress

None

CVE-2026-3657

WordPress

7.5

CVE-2026-3226

WordPress

4.3

CVE-2026-3496

WordPress

7.5

Menu

CVE-2026-2987

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

References 2

Related Vulnerabilities

CVE-2026-2687

CVE-2025-15473

CVE-2026-3657

CVE-2026-3226

CVE-2026-3496

CVE Details

Editor's Choice

Menu

CVE-2026-2987

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

References 2

Related Vulnerabilities

CVE-2026-2687

CVE-2025-15473

CVE-2026-3657

CVE-2026-3226

CVE-2026-3496

CVE Details

Editor's Choice

Stay informed on cybersecurity