PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-13005 mxchat CVE debrief

The MxChat – AI Chatbot & Content Generation for WordPress plugin is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.10. This is due to insufficient input sanitization and output escaping. Authenticated attackers with administrator-level permissions can inject web scripts that execute when users access injected pages. This vulnerability affects multi-site installations and installations where unfiltered_html has been disabled.

Vendor
mxchat
Product
MxChat – AI Chatbot & Content Generation for WordPress
CVSS
MEDIUM 4.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Administrators of WordPress installations using the MxChat plugin, especially those with multi-site setups or where unfiltered_html is disabled, should prioritize updating to a patched version.

Technical summary

CVE-2026-13005 is a Stored Cross-Site Scripting (XSS) vulnerability in the MxChat – AI Chatbot & Content Generation for WordPress plugin. The vulnerability exists in versions up to and including 3.2.10 and is caused by inadequate input sanitization and output escaping in admin settings. Exploitation requires administrator-level permissions and can only occur in multi-site installations or where unfiltered_html is disabled. Successful exploitation allows attackers to inject arbitrary web scripts that execute when users access the injected pages.

Defensive priority

Medium priority due to the requirement for administrator-level permissions and specific configuration vulnerabilities.

Recommended defensive actions

  • Update MxChat plugin to a version beyond 3.2.10.
  • Review and enhance input sanitization and output escaping in admin settings.
  • Monitor for suspicious admin activity and injected scripts.
  • Consider disabling unfiltered_html if not required.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE record and NVD entry provide details on the vulnerability. The Wordfence security team discovered and reported this issue. Evidence is limited to public CVE and NVD records. Defenders should verify vulnerability scope, affected versions, and configurations. They should also check for additional sources and security advisories for more information.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T04:17:16.390Z and has not been modified since then.