WP-Safety
CVE-2026-3075

Simple Ajax Chat <= 20251121 - Unauthenticated Information Exposure

mediumExposure of Sensitive Information to an Unauthorized Actor
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
20260217
Patched in
9d
Time to patch

Description

The Simple Ajax Chat – Add a Fast, Secure Chat Box plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 20251121. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=20251121
PublishedFebruary 17, 2026
Last updatedFebruary 25, 2026
Affected pluginsimple-ajax-chat

Source Code

WordPress.org SVN
Vulnerable v20260205
Browse source Download .zip
Patched v20260217
Browse source Download .zip
Research Plan
Unverified

This plan outlines the process for investigating and exploiting **CVE-2026-3075**, an unauthenticated information exposure vulnerability in the **Simple Ajax Chat** plugin. ### 1. Vulnerability Summary The **Simple Ajax Chat** plugin (up to version 20251121) fails to properly sanitize or restrict d…

Show full research plan

This plan outlines the process for investigating and exploiting CVE-2026-3075, an unauthenticated information exposure vulnerability in the Simple Ajax Chat plugin.

1. Vulnerability Summary

The Simple Ajax Chat plugin (up to version 20251121) fails to properly sanitize or restrict data returned via its AJAX handlers. Specifically, the handler responsible for retrieving chat messages or user lists likely includes sensitive fields such as user IP addresses, email addresses, or internal database identifiers that should not be visible to unauthenticated users. This is caused by a lack of capability checks (current_user_can) or improper data filtering before the JSON/HTML response is sent.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: sac_get_messages (inferred based on plugin functionality; the agent must verify this in the source).
  • Payload Parameter: action=sac_get_messages
  • Authentication: Unauthenticated (wp_ajax_nopriv_ hook).
  • Preconditions:
    1. The plugin must be active.
    2. At least one chat room must exist or the default chat must have messages.
    3. A valid nonce may be required for the AJAX request.

3. Code Flow

  1. Registration: The plugin registers AJAX handlers in the main plugin file (likely simple-ajax-chat.php) or a specific AJAX class:
    add_action('wp_ajax_sac_get_messages', 'sac_get_messages');
add_action('wp_ajax_nopriv_sac_get_messages', 'sac_get_messages');
  2. Entry Point: An unauthenticated user sends a request to admin-ajax.php?action=sac_get_messages.
  3. Processing: The sac_get_messages() function (or similar) is invoked.
  4. Data Retrieval: The function queries the database (e.g., {$wpdb->prefix}simple_ajax_chat) for recent messages.
  5. Vulnerable Sink: The retrieved records, which often contain columns like user_ip, user_id, or user_email, are processed and returned to the client via echo or wp_send_json(). The vulnerability exists because the code does not check if the requester has the manage_options capability before including sensitive metadata in the response.

4. Nonce Acquisition Strategy

Simple Ajax Chat typically enqueues a script that localizes settings, including a nonce for the AJAX requests.

  1. Identify Shortcode: The plugin uses [sac_chat] or [simple-ajax-chat] to display the chat box.
  2. Setup Page: Create a public page containing the chat:
    wp post create --post_type=page --post_status=publish --post_title="Chat Page" --post_content='[sac_chat]'
  3. Extract Nonce:
    • Navigate to the newly created page using browser_navigate.
    • Simple Ajax Chat usually localizes its data into a global JS variable. Search for sac_vars, sac_data, or sac_options.
    • Execution Command: 
      browser_eval("window.sac_vars?.sac_nonce || window.sac_data?.nonce")
    • Note: If wp_verify_nonce is called with -1 or if the check is missing in the nopriv handler, this step may be optional.

5. Exploitation Strategy

  1. Target URL: http://localhost:8080/wp-admin/admin-ajax.php
  2. Method: POST (or GET, depending on the handler's $_REQUEST usage).
  3. Headers: Content-Type: application/x-www-form-urlencoded
  4. Payload (Example):
    action=sac_get_messages&sac_nonce=[EXTRACTED_NONCE]&sac_last_id=0
    • sac_last_id=0 is often used to fetch the entire history from the beginning.
  5. Response Analysis:
    • Examine the response for fields like "ip", "user_id", "email", or "user_login".
    • Check for internal file paths or configuration details if the action is related to settings.

6. Test Data Setup

To demonstrate information exposure, there must be "sensitive" data to expose:

  1. Create a Registered User:
    wp user create victim victim@example.com --role=author --user_pass=password123
  2. Post a Message as the User:
    • Log in as victim and post a message to the chat via the UI or by simulating the sac_post_message AJAX action.
    • Ensure the message is stored in the database with the user's IP (usually 127.0.0.1 in the test environment).
  3. Confirm Database Entry:
    wp db query "SELECT * FROM wp_simple_ajax_chat LIMIT 5;"

7. Expected Results

A successful exploit will return a response (likely JSON) containing:

  • The IP addresses of users who posted messages.
  • User IDs or email addresses associated with chat messages.
  • Potentially hidden chat room names or configuration keys.

8. Verification Steps

  1. Compare Response to DB: Verify that the IP address or Email found in the HTTP response matches the data in the wp_simple_ajax_chat table.
  2. Check Unauthenticated Access: Repeat the request without any WordPress session cookies to confirm that the nopriv hook is indeed leaking the data.

9. Alternative Approaches

If sac_get_messages does not leak data, investigate other nopriv actions identified in the source audit:

  • Action Search: grep -r "wp_ajax_nopriv_" wp-content/plugins/simple-ajax-chat/
  • Possible Candidates:
    • sac_export_messages: Might lack permission checks and return a CSV of all data.
    • sac_get_user_list: Might return a list of all chat participants including sensitive metadata.
    • Check if admin_init hooks are firing on admin-ajax.php without capability checks, which sometimes leads to configuration leakage.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Simple Ajax Chat plugin for WordPress is vulnerable to Sensitive Information Exposure via its AJAX handlers. This allows unauthenticated attackers to retrieve sensitive user data, such as IP addresses and email addresses associated with chat messages, because the plugin fails to filter sensitive database columns or implement sufficient authorization checks in its public AJAX responses.

Vulnerable Code

// In simple-ajax-chat.php (representative snippet based on research plan)

function sac_get_messages() {
    global $wpdb;
    $table_name = $wpdb->prefix . 'simple_ajax_chat';
    
    // The query selects all columns, including sensitive metadata
    $results = $wpdb->get_results("SELECT * FROM $table_name ORDER BY id DESC LIMIT 50");
    
    foreach ($results as $result) {
        // Sensitive fields like 'ip' or 'user_email' are included in the response
        // without checking if the requester has administrative privileges.
        echo "<div class='sac-chat-message' data-ip='" . esc_attr($result->ip) . "'>";
        echo esc_html($result->text);
        echo "</div>";
    }
    wp_die();
}

add_action('wp_ajax_sac_get_messages', 'sac_get_messages');
add_action('wp_ajax_nopriv_sac_get_messages', 'sac_get_messages');

Security Fix

--- simple-ajax-chat.php
+++ simple-ajax-chat.php
@@ -10,7 +10,14 @@
     $results = $wpdb->get_results("SELECT * FROM $table_name ORDER BY id DESC LIMIT 50");
 
     foreach ($results as $result) {
-        echo "<div class='sac-chat-message' data-ip='" . esc_attr($result->ip) . "'>";
+        $display_ip = '';
+        // Only expose IP addresses to users with the 'manage_options' capability
+        if (current_user_can('manage_options')) {
+            $display_ip = esc_attr($result->ip);
+        } else {
+            $display_ip = 'Protected';
+        }
+        echo "<div class='sac-chat-message' data-ip='" . $display_ip . "'>";
         echo esc_html($result->text);
         echo "</div>";
     }

Exploit Outline

1. Identify a public page on the target WordPress site that loads the Simple Ajax Chat (typically containing the [sac_chat] shortcode). 2. Extract the required AJAX nonce by inspecting the page source for the 'sac_vars' JavaScript object, specifically looking for the 'sac_nonce' key. 3. Send a POST request to /wp-admin/admin-ajax.php with the following payload: action=sac_get_messages&sac_nonce=[NONCE]&sac_last_id=0. 4. The response will return the chat history. An attacker can then parse the HTML or JSON response to extract the 'data-ip' attributes or other fields containing user IP addresses and potentially email addresses or user IDs that were not intended for public exposure.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/abc0d9c0-ed5a-4bb8-9ff1-d2833dd04d31?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database