{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14316", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2025-12-09T08:58:04.821Z", "datePublished": "2026-01-26T06:00:13.528Z", "dateUpdated": "2026-04-02T12:39:54.729Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:54.729Z"}, "title": "AhaChat Messenger Marketing <= 1.1 - Reflected XSS", "problemTypes": [{"descriptions": [{"description": "CWE-79 Cross-Site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "AhaChat Messenger Marketing", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThanOrEqual": "1.1"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "The AhaChat Messenger Marketing WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin"}], "references": [{"url": "https://wpscan.com/vulnerability/7d69ebec-f940-4491-a51e-70a9e1bf8a4c/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Yevgen Goncharuk", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-26T14:53:31.145504Z", "id": "CVE-2025-14316", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T14:53:36.898Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-14316", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-26T14:53:31.145504Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T14:52:54.997Z"}}], "cna": {"title": "AhaChat Messenger Marketing <= 1.1 - Reflected XSS", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Yevgen Goncharuk"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "AhaChat Messenger Marketing", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1"}], "defaultStatus": "unknown"}], "references": [{"url": "https://wpscan.com/vulnerability/7d69ebec-f940-4491-a51e-70a9e1bf8a4c/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The AhaChat Messenger Marketing WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-79 Cross-Site Scripting (XSS)"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:54.729Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14316", "state": "PUBLISHED", "dateUpdated": "2026-04-02T12:39:54.729Z", "dateReserved": "2025-12-09T08:58:04.821Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2026-01-26T06:00:13.528Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The AhaChat Messenger Marketing WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin"}, {"lang": "es", "value": "El plugin de WordPress AhaChat Messenger Marketing hasta la 1.1 no sanitiza ni escapa un par\u00e1metro antes de mostrarlo de nuevo en la p\u00e1gina, lo que lleva a un cross-site scripting reflejado que podr\u00eda ser utilizado contra usuarios con altos privilegios, como el administrador."}], "id": "CVE-2025-14316", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-26T07:16:06.383", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/7d69ebec-f940-4491-a51e-70a9e1bf8a4c/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Deferred"}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T09:43:36.530305+00:00", "value": {"mitigation_remediation": ["Upgrade the AhaChat Messenger Marketing plugin to a version newer than 1.1 where the problematic parameter is properly sanitized and encoded.", "If an upgrade is not immediately possible, restrict access to the plugin\u2019s admin pages to trusted users and discourage them from visiting suspicious links.", "Configure a Content Security Policy that forbids inline scripts and limits script sources to trusted domains to mitigate the impact of any reflected XSS."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites running the AhaChat Messenger Marketing plugin, any version up to and including 1.1. No vendor product names beyond the plugin itself are listed.", "description_and_impact": "The AhaChat Messenger Marketing WordPress plugin through version 1.1 fails to sanitize and escape a user\u2011supplied parameter before rendering it back to the page, resulting in a reflected Cross\u2011Site Scripting vulnerability. An attacker could embed malicious JavaScript in a crafted link; when an administrator views the page, the script executes in the context of the admin user, potentially allowing session hijacking, credential theft, or other malicious actions on the site. The lack of output encoding further enables the attacker to execute scripts that can compromise the admin session.", "risk_and_exploitability": "The CVSS score of 7.1 indicates a high\u2011severity flaw. The EPSS score is below 1%, reflecting a low but non\u2011zero probability of exploitation. The vulnerability is not currently listed in the CISA KEV catalog, suggesting no public exploits are known. Exposures typically occur via a crafted URL that an admin might visit; the limited attack surface keeps the risk moderate, yet the potential for elevated XSS impact warrants prompt remediation."}}}}, "created": "2026-01-27T20:17:57.007987+00:00", "updated": "2026-04-28T09:45:28.460683+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"], "weaknesses": ["CWE-79"]}