PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8420 rdbeach CVE debrief

Cross-Site Request Forgery (CSRF) vulnerability in BLOGCHAT Chat System WordPress plugin versions up to and including 1.3.6.3 allows unauthenticated attackers to modify plugin settings and inject malicious web scripts via forged requests, contingent on tricking a site administrator into clicking a malicious link. The vulnerability stems from missing or incorrect nonce validation on a sensitive function. CVSS 3.1 score of 6.1 (Medium) reflects network attack vector, low attack complexity, no privileges required, user interaction required, and scope change with low confidentiality and integrity impact. CWE-352 (Cross-Site Request Forgery) is the primary weakness classification. The CVE was published on 2026-05-20 and last modified the same day. No known exploitation in ransomware campaigns or CISA KEV listing at time of disclosure.

Vendor
rdbeach
Product
BLOGCHAT Chat System
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-20
Original CVE updated
2026-05-20
Advisory published
2026-05-20
Advisory updated
2026-05-20

Who should care

WordPress site administrators using BLOGCHAT Chat System plugin; security teams managing WordPress installations; web application security assessors evaluating plugin security posture

Technical summary

The BLOGCHAT Chat System plugin for WordPress fails to properly validate nonces on a settings update function, allowing unauthenticated attackers to forge requests that execute with administrator privileges. Successful exploitation requires social engineering to induce an authenticated administrator to visit a malicious URL. The vulnerability enables both unauthorized configuration changes and stored cross-site scripting through malicious script injection into plugin settings.

Defensive priority

medium

Recommended defensive actions

  • Update BLOGCHAT Chat System plugin to a version newer than 1.3.6.3 when available
  • Implement additional CSRF protection measures for administrative functions
  • Review plugin settings for unauthorized modifications if compromise is suspected
  • Consider implementing Content Security Policy headers to mitigate impact of potential script injection
  • Monitor for suspicious administrative activity in WordPress audit logs

Evidence notes

Vulnerability identified through WordPress plugin source code analysis. Multiple source code references point to wp-blogchat-widget.php at lines 208, 215, 222, and 293 in both tagged version 1.3.6.3 and trunk. Wordfence security advisory provides additional technical context.

Official resources

2026-05-20