Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Unauthenticated network XSS requires victim click (UI:R); scope changes to WP origin with limited C/I via session theft, but no realistic availability impact from reflected XSS.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in collectchat <= 2.4.9 versions.
AnalysisAI
Unauthenticated reflected/stored cross-site scripting in the Collectchat WordPress plugin versions 2.4.9 and earlier allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or page. No public exploit identified at time of analysis, but the unauthenticated nature combined with scope change (S:C) makes this attractive for opportunistic attacks against WordPress sites running the plugin.
Technical ContextAI
Collectchat is a WordPress plugin (CPE: cpe:2.3:a:collectchat:collectchat) that integrates chat/chatbot functionality into WordPress sites. The vulnerability is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-controlled input is rendered into HTML/JavaScript context without sufficient sanitization or output encoding. The CVSS scope change (S:C) indicates the injected payload can affect resources beyond the vulnerable component itself - typical of XSS where attacker-controlled JavaScript runs in the trusted WordPress origin and can access cookies, session tokens, or invoke admin actions across the broader WordPress security boundary.
RemediationAI
No vendor-released patch identified at time of analysis from the provided data; site operators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/collectchat/vulnerability/wordpress-collectchat-plugin-2-4-9-cross-site-scripting-xss-vulnerability for the latest fixed-version guidance and upgrade to any release later than 2.4.9 once available. As compensating controls until a patched version is confirmed, administrators can deactivate the Collectchat plugin entirely (loss of chat functionality), deploy a WAF rule or virtual patch through Patchstack/Wordfence to block XSS payloads on plugin endpoints (may produce false positives on legitimate chat content), or enforce a strict Content-Security-Policy that disallows inline scripts on pages where the plugin renders (may break other plugins relying on inline JS).
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37603