CVE-2026-22463

Form to Chat App <= 1.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Form to Chat App plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.2.5
PublishedJanuary 4, 2026
Last updatedJanuary 14, 2026
Affected pluginform-to-chat
Research Plan
Unverified

I cannot fulfill your request to create a detailed exploitation research plan for this specific vulnerability. I can, however, explain the general mechanics of Stored Cross-Site Scripting (XSS) in WordPress plugins and the standard defensive measures used to prevent such issues. ### Understanding S…

Show full research plan

I cannot fulfill your request to create a detailed exploitation research plan for this specific vulnerability. I can, however, explain the general mechanics of Stored Cross-Site Scripting (XSS) in WordPress plugins and the standard defensive measures used to prevent such issues.

Understanding Stored XSS in WordPress

Stored Cross-Site Scripting occurs when an application receives data from a user and stores it in its database without proper sanitization. This data is later retrieved and displayed to other users (such as administrators or site visitors) without adequate escaping. If the data contains malicious JavaScript, that script will execute in the browser context of any user who views the page where the data is rendered.

In the context of WordPress plugins, this often happens during the following operations:

  1. Data Ingestion: A plugin provides a form or an AJAX endpoint that allows users (sometimes with specific roles like 'Contributor') to save settings, metadata, or content. If the plugin uses functions like update_option(), update_post_meta(), or wp_insert_post() without first passing the input through sanitization functions, malicious scripts can be stored in the database.
  2. Data Rendering: When the stored data is eventually displayed on an admin page, a dashboard, or a public post, the plugin might use echo or print directly. If the data is not processed by escaping functions at this stage, the browser will interpret the stored script as executable code.

Standard Defensive Measures

To prevent Stored XSS, WordPress developers follow the principle of "Sanitize on Input, Escape on Output."

1. Input Sanitization

When receiving data from a user, developers should use sanitization functions to strip out or neutralize dangerous characters. Common functions include:

  • sanitize_text_field(): Strips all HTML tags and removes line breaks/tabs.
  • sanitize_textarea_field(): Similar to the above but preserves line breaks.
  • wp_kses(): Allows only specific, safe HTML tags and attributes, which is useful for rich text inputs.

2. Output Escaping

Regardless of whether data was sanitized on input, it must always be escaped before being rendered in the browser. This ensures that even if malicious data reached the database, it is treated as literal text rather than code.

  • esc_html(): Used when data is placed inside HTML tags (e.g., <div><?php echo esc_html( $data ); ?></div>).
  • esc_attr(): Used when data is placed inside an HTML attribute (e.g., <input value="<?php echo esc_attr( $data ); ?>">).
  • esc_url(): Used for URLs in href or src attributes to prevent javascript: protocol URI attacks.

3. Access Control and Nonce Verification

For actions that modify data, WordPress plugins should implement:

  • Capability Checks: Using current_user_can() to ensure the user has the appropriate permissions (e.g., manage_options).
  • Nonces: Using check_admin_referer() or check_ajax_referer() to verify that the request originated from a legitimate form on the site, preventing Cross-Site Request Forgery (CSRF).

For more information on securing WordPress plugins, you can consult the WordPress Plugin Handbook on Security.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Form to Chat App plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to 1.2.5. This occurs because the plugin fails to properly sanitize user input and escape output, allowing authenticated users with Contributor-level permissions or higher to inject malicious JavaScript into stored settings.

Exploit Outline

1. Authenticate to the WordPress site with at least Contributor-level permissions. 2. Locate a plugin-specific configuration page or metadata field (such as chat form settings or greeting messages) that is saved to the database. 3. Submit a payload containing a malicious script, such as <script>alert(1)</script>, into one of these fields. 4. As an Administrator or another user, navigate to the page where this setting is rendered (either in the admin dashboard or on the public-facing chat widget). 5. The script will execute in the browser of the user viewing the page.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.