WordPress Plugin Vulnerabilities

Simple Ajax Chat < 20220216 - Unauthenticated Stored XSS

Description

The plugin does not sanitise and escape some parameters, which could allow unauthenticated attackers to perform Stored Cross-Site Scripting attacks

Note: The attack requires specific conditions, making it hard to exploit.

Affects Plugins

Plugin icon
simple-ajax-chat
Fixed in 20220216

References

CVE
CVE-2022-25610

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.8 (medium)

Miscellaneous

Original Researcher
Philippe Dourassov
Verified
No
WPVDB ID
a5e91bda-6f33-4003-847c-8fd88a251289

Timeline

Publicly Published
2022-02-16 (about 4 years ago)
Added
2023-08-07 (about 2 years ago)
Last Updated
2023-08-07 (about 2 years ago)

Other

Published
Title
Published
2025-09-22
Title
AnyClip Luminous Studio <= 1.3.3 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2019-11-13
Title
Quiz And Survey Master < 6.3.5 - Authenticated Reflected XSS
Published
2025-02-21
Title
Google Maps GPX Viewer <= 3.6 - Reflected Cross-Site Scripting
Published
2015-08-19
Title
Floating Social Media Icon <= 2.1 - Authenticated Stored Cross-Site Scripting (XSS)
Published
2014-08-01
Title
LBG Zoominoutslider - add_playlist_record.php Multiple Parameter Stored XSS