Skip to main content

Collectchat

1 CVEs product

Monthly

CVE-2026-40765 HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the Collectchat WordPress plugin versions 2.4.9 and earlier allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or page. No public exploit identified at time of analysis, but the unauthenticated nature combined with scope change (S:C) makes this attractive for opportunistic attacks against WordPress sites running the plugin.

XSS Collectchat
NVD
CVSS 3.1
7.1
EPSS
0.2%
EPSS 0% CVSS 7.1
HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the Collectchat WordPress plugin versions 2.4.9 and earlier allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or page. No public exploit identified at time of analysis, but the unauthenticated nature combined with scope change (S:C) makes this attractive for opportunistic attacks against WordPress sites running the plugin.

XSS Collectchat
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy