Urgent: Unauthenticated Stored XSS in “Simple Ajax Chat” (CVE-2026-2987) — What WordPress Site Owners Must Do Now

A public advisory has disclosed a stored Cross-Site Scripting (XSS) vulnerability in the Simple Ajax Chat WordPress plugin (versions <= 20260217), tracked as CVE-2026-2987. The vendor released a patch on 2026-03-01; sites that have not updated remain vulnerable. An unauthenticated attacker can store JavaScript via a parameter named c, which is later rendered in the site context when others view chat output — potentially including privileged users.

I write as a Hong Kong-based security practitioner with operational experience responding to WordPress plugin incidents. This post gives a clear, practical response plan:

• Plain-English explanation of the vulnerability and risk
• How attackers can exploit it and real-world impacts
• Immediate emergency actions you must take
• Developer-safe code fixes and output-escaping examples
• WAF mitigation rules you can deploy right away
• Detection tips and clean-up procedures if you were hit

Quick summary (60 seconds)

• Vulnerability: Stored XSS via parameter c in Simple Ajax Chat (<= 20260217).
• Severity: Medium (CVSS 7.1) — but actual impact can be high if privileged users view injected content.
• CVE: CVE-2026-2987.
• Patched: 2026-03-01. Update the plugin immediately to version 20260301 or later.
• If you cannot update immediately: disable the plugin, restrict access to the chat endpoints, or deploy WAF rules to block script-like payloads in the c parameter.
• After patching: search and remove stored malicious messages and rotate credentials if there’s evidence of exploitation.

What is Stored Cross-Site Scripting (stored XSS) — and why is this one concerning?

Stored XSS occurs when an attacker submits malicious HTML/JavaScript that the server persistently stores and later serves back to users. When that content is rendered in a victim’s browser, the attacker’s code executes in the victim’s session context.

In this advisory:

• The plugin exposes a parameter c used for chat content.
• An unauthenticated attacker can send crafted input via c that gets stored.
• When another user (often an admin or editor) views the chat, the stored payload executes with that user’s privileges.
• Consequences include session theft, CSRF-like actions on behalf of admins, persistent malware, redirects, or data exfiltration.

Who is at greatest risk?

• Sites running Simple Ajax Chat versions <= 20260217 that haven’t applied the 2026-03-01 update.
• Sites where privileged users regularly view chat content or dashboards that include chat output.
• Sites that embed chat output into pages accessible by high-privileged accounts.
• Sites without any WAF or virtual patching in place.

How an attacker could exploit this (practical example)

1. Attacker sends a request to the chat endpoint with c containing a JavaScript payload, for example: .
2. The plugin persists the content into the database without proper sanitization.
3. When an admin views the chat, the browser executes the stored script.
4. Potential actions by the payload: steal cookies/local storage, perform actions as the admin, inject further scripts, redirect pages, log keystrokes, or enumerate site internals.

Immediate steps you must take (incident checklist)

If you run Simple Ajax Chat on any site, perform these actions now:

1. Update the plugin to 20260301 (or later) immediately. This is the primary fix.
2. If you cannot update right away, deactivate the plugin until you can patch.
3. Deploy WAF rules to block requests with script tags, event handlers (onerror, onclick, onload), javascript: URIs, or other obvious payloads in the c parameter.
4. Restrict access to the chat endpoint where possible — by IP, authentication, or capability checks.
5. Take a full backup (files + DB) before remediation steps.
6. Search for and remove stored malicious messages (look for
   Review My Order

   0

   Subtotal

   Taxes & shipping calculated at checkout

   Checkout