Attack Vectors

CVE-2026-2987 is a Medium-severity vulnerability (CVSS 6.1) affecting the WordPress plugin Simple Ajax Chat – Add a Fast, Secure Chat Box (slug: simple-ajax-chat) in versions up to, and including, 20260217.

An attacker does not need to log in (unauthenticated) to attempt exploitation. By submitting a crafted chat message using the ‘c’ parameter, an attacker may be able to store malicious script content that runs later when a visitor or staff member views the affected page or chat output. Because the CVSS vector includes UI:R (user interaction required), the impact typically occurs when someone loads a page where the injected content is displayed.

Security Weakness

The issue is a Stored Cross-Site Scripting (XSS) weakness caused by insufficient input sanitization and output escaping of the ‘c’ parameter. In practical terms, the plugin may accept attacker-supplied content and later render it in a browser in a way that the browser interprets as code rather than plain text.

Stored XSS is especially concerning for business sites because it can persist across sessions and affect multiple users over time—including customers, prospects, and internal teams who access the site from trusted networks and devices.

Technical or Business Impacts

If exploited, this vulnerability can expose the organization to brand and operational risk. Malicious scripts can be used to manipulate what visitors see on-site (e.g., replacing links or calls-to-action), redirect traffic, or present convincing fraud content that appears to come from your domain.

From a business perspective, likely impacts include loss of customer trust, campaign performance disruption (misdirected landing-page traffic, altered forms, inaccurate attribution), and compliance exposure if the attack is used to facilitate unauthorized access to accounts or data through deceptive on-page prompts. The CVSS metrics indicate potential low confidentiality and integrity impact (C:L/I:L), which can still be meaningful when your website supports lead generation, customer communications, or regulated workflows.

Remediation: Update Simple Ajax Chat to version 20260301 or newer (patched). Reference: Wordfence vulnerability record. Official CVE record: CVE-2026-2987.

Similar Attacks

Stored XSS has been used in real-world incidents to spread rapidly and damage trust because the malicious code executes in a user’s browser while they believe they are interacting with a legitimate page.

Examples include:

Samy (MySpace) worm — a stored XSS-based worm that propagated through user profiles.
Yamanner (Yahoo! Mail) worm — a stored XSS-driven email worm that replicated by abusing webmail scripting behavior.