CVE-2026-13005 in MxChat Plugininfo

Summary

by MITRE • 07/16/2026

The MxChat – AI Chatbot & Content Generation for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/16/2026

The vulnerability identified in the MxChat plugin affects WordPress installations where administrators can manipulate settings through the admin interface, creating a persistent cross-site scripting vector that operates within the context of the target website. This stored XSS flaw exists specifically within the plugin's handling of user input during administrative configuration changes, allowing malicious actors with elevated privileges to inject malicious scripts that persist in the database and execute whenever affected pages are accessed by other users. The vulnerability impacts all versions up to and including 3.2.10, representing a significant security risk for WordPress sites that rely on this particular plugin for AI chatbot functionality and content generation services.

The technical root cause stems from inadequate input sanitization and insufficient output escaping mechanisms within the plugin's administrative settings interface. When administrators modify plugin configurations, the system fails to properly validate or sanitize user-supplied data before storing it in the database, while simultaneously not implementing proper HTML escaping when rendering this data back to users in the admin interface. This dual failure creates an environment where malicious scripts can be stored and subsequently executed without proper context-aware sanitization, directly violating fundamental web security principles for preventing XSS attacks. The vulnerability specifically manifests when administrators input malicious payloads into plugin settings fields, which are then saved to the database and rendered in subsequent page requests.

The operational impact of this vulnerability is severe for WordPress sites using the affected plugin, particularly in multi-site environments where the attack surface expands significantly. Attackers with administrator-level access can craft malicious scripts that execute within the context of other users' browsers, potentially leading to session hijacking, privilege escalation, data exfiltration, or complete compromise of the affected WordPress installation. The restriction to installations where unfiltered_html has been disabled suggests that sites with more permissive HTML filtering may be less vulnerable, but this protection is only effective if proper security measures are implemented at multiple levels. This vulnerability directly relates to CWE-79 which categorizes cross-site scripting flaws as a critical web application security weakness and aligns with ATT&CK technique T1059.002 for command and scripting interpreter usage in executing malicious payloads.

Mitigation strategies should focus on immediate plugin updates to versions that address the XSS vulnerability through proper input validation and output escaping mechanisms. Administrators must ensure that all WordPress installations are running patched versions of the MxChat plugin, as well as maintaining comprehensive security monitoring for unauthorized administrative changes. Network-level protections such as web application firewalls and content security policies should be implemented to add defense-in-depth measures against potential exploitation attempts. Regular security audits of plugin configurations and access controls should be conducted to identify any potential attack vectors that may have been previously overlooked. Additionally, implementing principle of least privilege access controls and regular security training for administrators can help reduce the risk of successful exploitation through credential compromise or social engineering attacks targeting privileged accounts.

Responsible

Wordfence

Reservation

06/23/2026

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!