PatchSiren cyber security CVE debrief
CVE-2026-13005 mxchat CVE debrief
The MxChat – AI Chatbot & Content Generation for WordPress plugin is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.10. This is due to insufficient input sanitization and output escaping. Authenticated attackers with administrator-level permissions can inject web scripts that execute when users access injected pages. This vulnerability affects multi-site installations and installations where unfiltered_html has been disabled.
- Vendor
- mxchat
- Product
- MxChat – AI Chatbot & Content Generation for WordPress
- CVSS
- MEDIUM 4.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Administrators of WordPress installations using the MxChat plugin, especially those with multi-site setups or where unfiltered_html is disabled, should prioritize updating to a patched version.
Technical summary
CVE-2026-13005 is a Stored Cross-Site Scripting (XSS) vulnerability in the MxChat – AI Chatbot & Content Generation for WordPress plugin. The vulnerability exists in versions up to and including 3.2.10 and is caused by inadequate input sanitization and output escaping in admin settings. Exploitation requires administrator-level permissions and can only occur in multi-site installations or where unfiltered_html is disabled. Successful exploitation allows attackers to inject arbitrary web scripts that execute when users access the injected pages.
Defensive priority
Medium priority due to the requirement for administrator-level permissions and specific configuration vulnerabilities.
Recommended defensive actions
- Update MxChat plugin to a version beyond 3.2.10.
- Review and enhance input sanitization and output escaping in admin settings.
- Monitor for suspicious admin activity and injected scripts.
- Consider disabling unfiltered_html if not required.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The CVE record and NVD entry provide details on the vulnerability. The Wordfence security team discovered and reported this issue. Evidence is limited to public CVE and NVD records. Defenders should verify vulnerability scope, affected versions, and configurations. They should also check for additional sources and security advisories for more information.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T04:17:16.390Z and has not been modified since then.