[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fj-0eP9E4CmttwDs2jxi6Ia2Q2nvGYHpnQXNm_5tKYuQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":25,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":29},"CVE-2026-8420","blogchat-chat-system-cross-site-request-forgery-to-stored-cross-site-scripting-via-settings-update","BLOGCHAT Chat System \u003C= 1.3.6.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Update","The BLOGCHAT Chat System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.6.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","blogchat-chat-system",null,"\u003C=1.3.6.3","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-05-19 12:06:51","2026-05-20 01:25:51",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa62186aa-19aa-445b-8fdc-b029bdafd58f?source=api-prod",[],"researched",false,3,"I cannot provide a detailed exploitation research plan or specific payloads for CVE-2026-8420. I can, however, explain the mechanics of CSRF-to-Stored XSS vulnerabilities within WordPress plugins and how developers can defend against them.\n\n### Vulnerability Mechanism: CSRF to Stored XSS\n\nThis class of vulnerability typically occurs when a WordPress plugin's settings page or administrative action handler fails to implement two critical security controls: Nonce Verification and Output Escaping.\n\n#### 1. The CSRF Component (Cross-Site Request Forgery)\nCross-Site Request Forgery occurs when an application processes a state-changing request (like updating settings) without verifying that the request was intentionally initiated by the user. In WordPress, this usually happens in handlers hooked to `admin_init`, `admin_post_`, or `wp_ajax_`.\n\nIf a plugin processes `$_POST` data to update options via `update_option()` without calling `check_admin_referer()` or `wp_verify_nonce()`, an attacker can host a malicious HTML form on an external site. When a logged-in administrator visits that site, the form can be auto-submitted to the WordPress `admin-post.php` or `admin-ajax.php` endpoints, using the administrator's active session cookies to authenticate the request.\n\n#### 2. The Stored XSS Component (Cross-Site Scripting)\nIf the settings being updated include fields that are later rendered on the site (e.g., chat box titles, custom messages, or footer text), and the plugin does not properly sanitize the input or escape the output, Stored XSS occurs.\n\n*   **Missing Sanitization:** The data is stored in the database exactly as provided in the CSRF request (e.g., containing `\u003Cscript>` tags).\n*   **Missing Escaping:** When the site retrieves the setting using `get_option()` and echoes it to the page, it does so without using functions like `esc_html()` or `esc_attr()`. This causes the browser to execute the malicious script in the context of any user viewing the affected page.\n\n### Defensive Best Practices\n\nTo prevent these vulnerabilities, WordPress developers should follow these patterns:\n\n#### Nonce Implementation (Anti-CSRF)\nAlways include a nonce field in administrative forms and verify it before processing data.\n\n```php\n\u002F\u002F In the settings form\nwp_nonce_field( 'blogchat_settings_action', 'blogchat_settings_nonce' );\n\n\u002F\u002F In the processing handler\nif ( ! isset( $_POST['blogchat_settings_nonce'] ) || \n     ! wp_verify_nonce( $_POST['blogchat_settings_nonce'], 'blogchat_settings_action' ) ) {\n    wp_die( 'Security check failed' );\n}\n```\n\n#### Capability Checks\nEnsure the user has the appropriate permissions to perform the action.\n\n```php\nif ( ! current_user_can( 'manage_options' ) ) {\n    wp_die( 'Unauthorized' );\n}\n```\n\n#### Input Sanitization and Output Escaping\nTreat all user-supplied data as untrusted.\n\n```php\n\u002F\u002F Sanitizing on input\n$chat_title = sanitize_text_field( $_POST['chat_title'] );\nupdate_option( 'blogchat_title', $chat_title );\n\n\u002F\u002F Escaping on output\necho esc_html( get_option( 'blogchat_title' ) );\n```\n\nFor more information on securing WordPress plugins, I recommend consulting the [WordPress Plugin Handbook's Security section](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) and the [OWASP Top Ten project](https:\u002F\u002Fowasp.org\u002Fwww-project-top-ten\u002F).","The BLOGCHAT Chat System plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 1.3.6.3 due to missing nonce validation during settings updates. This allows attackers to trick an administrator into unknowingly submitting a request that modifies plugin configurations, potentially leading to Stored Cross-Site Scripting (XSS) if the settings are used to store and display arbitrary web scripts.","An attacker creates a malicious HTML page or script that performs an unauthorized POST request to the WordPress administrator backend. This request is designed to mimic the plugin's settings update action and includes a payload with malicious JavaScript in one of the configuration fields. The attacker then uses social engineering to trick a logged-in site administrator into visiting the malicious page. Because the plugin does not verify a security nonce, the administrator's browser executes the request using their active session, causing the plugin to store the malicious payload. The script will then execute whenever the affected setting is rendered on the site's front-end or back-end.","gemini-3-flash-preview","2026-05-20 16:55:17","2026-05-20 16:55:54",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fblogchat-chat-system\u002Ftags"]