{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3670", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-04-15T21:51:15.303Z", "datePublished": "2025-05-02T01:43:36.927Z", "dateUpdated": "2026-04-08T17:34:57.552Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:57.552Z"}, "affected": [{"vendor": "kiwichat", "product": "KiwiChat NextClient", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The KiwiChat NextClient plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018url\u2019 parameter in all versions up to, and including, 6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "KiwiChat NextClient <= 6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fd6f6a2c-59d3-4091-82ac-0edf9f47ef65?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/kiwichat/trunk/public/index.php#L25"}, {"url": "https://wordpress.org/plugins/kiwichat/#developers"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "timeline": [{"time": "2025-05-01T13:11:58.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-02T17:19:27.248186Z", "id": "CVE-2025-3670", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-02T17:24:44.331Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3670", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-02T17:19:27.248186Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-02T17:20:22.696Z"}}], "cna": {"title": "KiwiChat NextClient <= 6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "kiwichat", "product": "KiwiChat NextClient", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "6.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-01T13:11:58.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fd6f6a2c-59d3-4091-82ac-0edf9f47ef65?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/kiwichat/trunk/public/index.php#L25"}, {"url": "https://wordpress.org/plugins/kiwichat/#developers"}], "descriptions": [{"lang": "en", "value": "The KiwiChat NextClient plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018url\u2019 parameter in all versions up to, and including, 6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:57.552Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3670", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:34:57.552Z", "dateReserved": "2025-04-15T21:51:15.303Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-02T01:43:36.927Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The KiwiChat NextClient plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018url\u2019 parameter in all versions up to, and including, 6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento KiwiChat NextClient para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del par\u00e1metro 'url' en todas las versiones hasta la 6.2 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-3670", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-05-02T03:15:20.700", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/kiwichat/trunk/public/index.php#L25"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/kiwichat/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fd6f6a2c-59d3-4091-82ac-0edf9f47ef65?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T04:11:32.124998+00:00", "value": {"mitigation_remediation": ["Apply the vendor's patch by updating KiwiChat NextClient to the latest version released after 6.2.", "Scan the database for and delete any stored URLs that contain script tags or JavaScript payloads.", "Review or revoke contributor-level access for users who no longer need it, limiting the risk of further XSS injection."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting via the url parameter (authenticated contributors and above)."}, "threat_synthesis": {"affected_systems": "The vulnerability applies to the WordPress plugin KiwiChat NextClient, all versions up to and including 6.2. An attacker must be logged in with Contributor level access or higher to exploit the flaw.", "description_and_impact": "A content injection flaw in the KiwiChat NextClient plugin allows authenticated users with Contributor or higher roles to embed malicious JavaScript into the plugin\u2019s url parameter. Because the input is stored and then rendered without escaping, every subsequent page view by any user runs the injected code. This flaw is a CWE\u201179 Stored Cross\u2011Site Scripting vulnerability.", "risk_and_exploitability": "The CVSS score of 6.4 reflects moderate severity, and the EPSS score of less than 1% indicates low exploitation probability at this time. The flaw is not listed in the CISA KEV catalog. Exploitation requires authenticated access, meaning the attacker must first obtain or create a Contributor\u2011level account. Once authenticated, the attacker can persistently inject scripts that execute on any client loading the affected page."}}}}, "created": "2025-07-12T22:44:52.948669+00:00", "updated": "2026-04-22T04:15:07.539361+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}