{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3075", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-23T20:46:14.458Z", "datePublished": "2026-02-23T20:48:13.276Z", "dateUpdated": "2026-04-28T16:15:09.450Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "simple-ajax-chat", "product": "Simple Ajax Chat", "vendor": "Jeff Starr", "versions": [{"changes": [{"at": "20260217", "status": "unaffected"}], "lessThanOrEqual": "20251121", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jakub Herman | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:51:47.425Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Jeff Starr Simple Ajax Chat simple-ajax-chat allows Retrieve Embedded Sensitive Data.<p>This issue affects Simple Ajax Chat: from n/a through <= 20251121.</p>"}], "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Jeff Starr Simple Ajax Chat simple-ajax-chat allows Retrieve Embedded Sensitive Data.This issue affects Simple Ajax Chat: from n/a through <= 20251121."}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-497", "description": "Exposure of Sensitive System Information to an Unauthorized Control Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:09.450Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/simple-ajax-chat/vulnerability/wordpress-simple-ajax-chat-plugin-20251121-sensitive-data-exposure-vulnerability?_s_id=cve"}], "title": "WordPress Simple Ajax Chat plugin <= 20251121 - Sensitive Data Exposure vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T17:55:32.305944Z", "id": "CVE-2026-3075", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T12:42:58.029Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3075", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-23T20:46:14.458Z", "datePublished": "2026-02-23T20:48:13.276Z", "dateUpdated": "2026-04-28T12:42:58.029Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "simple-ajax-chat", "product": "Simple Ajax Chat", "vendor": "Jeff Starr", "versions": [{"changes": [{"at": "20260217", "status": "unaffected"}], "lessThanOrEqual": "20251121", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jakub Herman | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:51:47.425Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Jeff Starr Simple Ajax Chat simple-ajax-chat allows Retrieve Embedded Sensitive Data.<p>This issue affects Simple Ajax Chat: from n/a through <= 20251121.</p>"}], "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Jeff Starr Simple Ajax Chat simple-ajax-chat allows Retrieve Embedded Sensitive Data.This issue affects Simple Ajax Chat: from n/a through <= 20251121."}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-497", "description": "Exposure of Sensitive System Information to an Unauthorized Control Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:56.716Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/simple-ajax-chat/vulnerability/wordpress-simple-ajax-chat-plugin-20251121-sensitive-data-exposure-vulnerability?_s_id=cve"}], "title": "WordPress Simple Ajax Chat plugin <= 20251121 - Sensitive Data Exposure vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3075", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-27T17:55:32.305944Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T17:55:44.648Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Jeff Starr Simple Ajax Chat simple-ajax-chat allows Retrieve Embedded Sensitive Data.This issue affects Simple Ajax Chat: from n/a through <= 20251121."}, {"lang": "es", "value": "Vulnerabilidad de Exposici\u00f3n de Informaci\u00f3n Sensible del Sistema a una Esfera de Control No Autorizada en Jeff Starr Simple Ajax Chat simple-ajax-chat, permite Recuperar Datos Sensibles Incrustados. Este problema afecta a Simple Ajax Chat: desde n/a hasta &lt;= 20251121."}], "id": "CVE-2026-3075", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-23T21:19:13.140", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/simple-ajax-chat/vulnerability/wordpress-simple-ajax-chat-plugin-20251121-sensitive-data-exposure-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-497"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,20251121]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Simple Ajax Chat", "source": "cna", "vendor": "Jeff Starr"}, "product": "simple_ajax_chat", "vendor": "jeff_starr"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T20:15:44.532086+00:00", "value": {"mitigation_remediation": ["Update the Simple Ajax Chat plugin to a version newer than 20251121, if one is available.", "If no update exists, disable or uninstall the plugin to eliminate the exposure.", "Restrict access to the plugin\u2019s API or data endpoints by requiring authentication or implementing IP restriction rules."], "summary": {"action": "Apply Patch", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "The issue affects Jeff Starr\u2019s Simple Ajax Chat plugin for WordPress on any installation using version 20251121 or earlier. No specific WordPress core version is mentioned, so any site running any of those plugin versions is at risk.", "description_and_impact": "This vulnerability allows the retrieval of embedded sensitive system information from the Simple Ajax Chat WordPress plugin. Consequently, any unauthorized user can obtain confidential data, leading to a breach of confidentiality. The weakness, identified as CWE-497, permits exposure of sensitive data without proper access controls.", "risk_and_exploitability": "The CVSS score of 5.3 classifies the severity as moderate, while the EPSS score of less than 1% indicates a low likelihood of exploitation at the time of analysis. It is not listed in the CISA KEV catalog. The likely attack vector is through the plugin\u2019s web interface or API, where an unauthenticated or insufficiently authorized user can trigger data retrieval. No additional prerequisites are described in the advisory, so the vulnerability can be exploited as long as the vulnerable plugin is active on a publicly accessible WordPress site."}}}}, "created": "2026-02-24T09:55:21.077426+00:00", "updated": "2026-04-15T20:30:13.763584+00:00", "vendors": ["jeff_starr", "jeff_starr$PRODUCT$simple_ajax_chat", "wordpress", "wordpress$PRODUCT$wordpress"]}