Skip to main content

Collectchat WordPress Plugin CVE-2026-40765

| EUVDEUVD-2026-37603 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-17 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
6.1 MEDIUM

Unauthenticated network XSS requires victim click (UI:R); scope changes to WP origin with limited C/I via session theft, but no realistic availability impact from reflected XSS.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:14 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in collectchat <= 2.4.9 versions.

AnalysisAI

Unauthenticated reflected/stored cross-site scripting in the Collectchat WordPress plugin versions 2.4.9 and earlier allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or page. No public exploit identified at time of analysis, but the unauthenticated nature combined with scope change (S:C) makes this attractive for opportunistic attacks against WordPress sites running the plugin.

Technical ContextAI

Collectchat is a WordPress plugin (CPE: cpe:2.3:a:collectchat:collectchat) that integrates chat/chatbot functionality into WordPress sites. The vulnerability is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-controlled input is rendered into HTML/JavaScript context without sufficient sanitization or output encoding. The CVSS scope change (S:C) indicates the injected payload can affect resources beyond the vulnerable component itself - typical of XSS where attacker-controlled JavaScript runs in the trusted WordPress origin and can access cookies, session tokens, or invoke admin actions across the broader WordPress security boundary.

RemediationAI

No vendor-released patch identified at time of analysis from the provided data; site operators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/collectchat/vulnerability/wordpress-collectchat-plugin-2-4-9-cross-site-scripting-xss-vulnerability for the latest fixed-version guidance and upgrade to any release later than 2.4.9 once available. As compensating controls until a patched version is confirmed, administrators can deactivate the Collectchat plugin entirely (loss of chat functionality), deploy a WAF rule or virtual patch through Patchstack/Wordfence to block XSS payloads on plugin endpoints (may produce false positives on legitimate chat content), or enforce a strict Content-Security-Policy that disallows inline scripts on pages where the plugin renders (may break other plugins relying on inline JS).

Share

CVE-2026-40765 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy