{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12448", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-28T20:17:58.812Z", "datePublished": "2026-02-19T03:25:11.994Z", "dateUpdated": "2026-04-08T16:47:23.191Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:47:23.191Z"}, "affected": [{"vendor": "smartsupp", "product": "Smartsupp \u2013 live chat, AI shopping assistant and chatbots", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.9.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Smartsupp \u2013 live chat, AI shopping assistant and chatbots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'code' parameter in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Smartsupp \u2013 live chat, AI shopping assistant and chatbots <= 3.9.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3c298653-7f79-4ee2-89c8-8a6d0e1446b8?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/smartsupp-live-chat/tags/3.2/admin/class-smartsupp-admin.php#L105"}, {"url": "https://plugins.trac.wordpress.org/browser/smartsupp-live-chat/tags/3.2/public/class-smartsupp.php#L177"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3403904%40smartsupp-live-chat&new=3403904%40smartsupp-live-chat&sfp_email=&sfph_mail="}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3402922%40smartsupp-live-chat&new=3402922%40smartsupp-live-chat&sfp_email=&sfph_mail="}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3398777%40smartsupp-live-chat&new=3398777%40smartsupp-live-chat&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Rafshanzani Suhada"}], "timeline": [{"time": "2026-02-18T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T17:04:43.960109Z", "id": "CVE-2025-12448", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T17:43:40.590Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12448", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T17:04:43.960109Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T17:04:45.825Z"}}], "cna": {"title": "Smartsupp \u2013 live chat, AI shopping assistant and chatbots <= 3.9.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Rafshanzani Suhada"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "smartsupp", "product": "Smartsupp \u2013 live chat, AI shopping assistant and chatbots", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.9.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-18T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3c298653-7f79-4ee2-89c8-8a6d0e1446b8?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/smartsupp-live-chat/tags/3.2/admin/class-smartsupp-admin.php#L105"}, {"url": "https://plugins.trac.wordpress.org/browser/smartsupp-live-chat/tags/3.2/public/class-smartsupp.php#L177"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3403904%40smartsupp-live-chat&new=3403904%40smartsupp-live-chat&sfp_email=&sfph_mail="}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3402922%40smartsupp-live-chat&new=3402922%40smartsupp-live-chat&sfp_email=&sfph_mail="}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3398777%40smartsupp-live-chat&new=3398777%40smartsupp-live-chat&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Smartsupp \u2013 live chat, AI shopping assistant and chatbots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'code' parameter in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:47:23.191Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12448", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:47:23.191Z", "dateReserved": "2025-10-28T20:17:58.812Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-19T03:25:11.994Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Smartsupp \u2013 live chat, AI shopping assistant and chatbots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'code' parameter in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Smartsupp \u2013 live chat, asistente de compras con IA y chatbots para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del par\u00e1metro 'code' en todas las versiones hasta la 3.9.1, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto permite que atacantes autenticados, con acceso de nivel Suscriptor y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2025-12448", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-19T07:17:28.040", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/smartsupp-live-chat/tags/3.2/admin/class-smartsupp-admin.php#L105"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/smartsupp-live-chat/tags/3.2/public/class-smartsupp.php#L177"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3398777%40smartsupp-live-chat&new=3398777%40smartsupp-live-chat&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3402922%40smartsupp-live-chat&new=3402922%40smartsupp-live-chat&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3403904%40smartsupp-live-chat&new=3403904%40smartsupp-live-chat&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3c298653-7f79-4ee2-89c8-8a6d0e1446b8?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.9.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Smartsupp \u2013 live chat, AI shopping assistant and chatbots", "source": "cna", "vendor": "smartsupp"}, "product": "smartsupp_\u2013_live_chat,_ai_shopping_assistant_and_chatbots", "vendor": "smartsupp"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 70.0, "confidence_source": "inferred", "scores": [{"score": 70.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-22T11:36:00.806825+00:00", "value": {"mitigation_remediation": ["Update the Smartsupp plugin to the latest version that removes the vulnerability (at least 3.9.2 or newer).", "If an update cannot be applied immediately, revoke Subscriber or higher level privileges from accounts that should not access the chat functionality, effectively preventing the attack vector. ", "After updating or restricting access, review all content passed to the 'code' parameter and ensure it is properly sanitized or escaped before storage or rendering."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting in the Smartsupp WordPress plugin"}, "threat_synthesis": {"affected_systems": "All installations of the Smartsupp \u2013 live chat, AI shopping assistant and chatbots WordPress plugin with a version number less than or equal to 3.9.1 are affected. No later versions were reported to contain the flaw.", "description_and_impact": "The vulnerability allows an authenticated user with Subscriber or higher privileges to supply malicious content through the 'code' parameter in the Smartsupp plugin. The lack of sanitization and escaping means the injected scripts are stored and later executed in the context of any user who loads the affected page, potentially leading to data theft, session hijacking, or defacement. This is a classic Stored XSS flaw identified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate impact, and the EPSS score is below 1%, suggesting a very low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Exploitation requires authenticated access to the WordPress site, meaning an attacker must obtain at least Subscriber level credentials to inject the payload. Once injected, the stored script runs for all users visiting the affected page, expanding the attack surface across the user base."}}}}, "created": "2026-02-19T10:07:44.416161+00:00", "updated": "2026-04-22T12:00:05.903188+00:00", "vendors": ["smartsupp", "smartsupp$PRODUCT$smartsupp_\u2013_live_chat,_ai_shopping_assistant_and_chatbots", "wordpress", "wordpress$PRODUCT$wordpress"]}