CVE-2025-14316
Description
The AhaChat Messenger Marketing WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected Cross-Site Scripting in AhaChat Messenger Marketing WordPress plugin through 1.1 allows attackers to execute arbitrary JavaScript in high-privilege users' sessions.
The AhaChat Messenger Marketing WordPress plugin versions through 1.1 are affected by a reflected cross-site scripting (XSS) vulnerability. The plugin fails to sanitize and escape a parameter before outputting it in a page, enabling injection of arbitrary HTML or JavaScript [1].
An attacker can exploit this flaw by tricking a high-privilege user, such as an administrator, into clicking a crafted link. The malicious parameter is reflected back, executing the attacker's script in the context of the victim's browser and WordPress session [1].
If successfully exploited, an attacker can perform administrative actions like creating new accounts, installing malicious plugins, or stealing session cookies. The CVSS v3 base score of 7.1 indicates a high severity, largely due to the potential for complete compromise of the WordPress site.
As of the disclosure date, no official fix is available. Users should either remove the plugin or monitor for updates. The vulnerability was discovered and reported by Yevgen Goncharuk, with the WPScan advisory providing further details [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.