| Plugin Name | collectchat |
|---|---|
| Type of Vulnerability | XSS |
| CVE Number | CVE-2026-0736 |
| Urgency | Medium |
| CVE Publish Date | 2026-02-13 |
| Source URL | CVE-2026-0736 |
Urgent: What the Collectchat Stored XSS (CVE-2026-0736) Means for Your WordPress Site
Date: 2026-02-13 | Author: Hong Kong Security Expert
Summary
A stored Cross-Site Scripting vulnerability (CVE-2026-0736) affecting the collectchat WordPress plugin (versions ≤ 2.4.8) has been disclosed. An authenticated user with Contributor privileges can store malicious JavaScript in a post meta field that may execute later in the context of an administrator or a frontend visitor. Although the disclosed severity is described as low and requires authenticated user interaction, stored XSS can be escalated into a full site compromise if not handled promptly.
I write as a Hong Kong security practitioner to provide clear, actionable guidance: how the vulnerability operates, realistic impact scenarios, detection techniques, immediate containment steps you can take now, and secure developer fixes. This is intended for site owners, developers, and incident responders who need steps to act on immediately.
What happened (plain language)
- The collectchat plugin saves data into a post meta field without adequate sanitization.
- An authenticated user with the Contributor role can insert HTML/JavaScript into that meta field.
- The plugin later outputs that meta field in a context where the value is rendered as HTML (or is not properly escaped), causing the stored script to execute when an admin or visitor views the page or admin screen.
- Stored XSS is persistent: injected payloads remain in the database and can affect many users over time.
Important context: the exploit requires a Contributor account to place the payload. Many sites allow user registrations or use Contributor accounts for contractors or guest authors — the attack surface is therefore non-trivial.
