CVE-2026-2955 wupsales CVE debrief

Who should care

WordPress site administrators using the AI Chatbot & Workflow Automation by AIWU plugin; security teams monitoring for plugin-based XSS vectors; WAF operators managing header sanitization policies

Technical summary

The AI Chatbot & Workflow Automation by AIWU plugin fails to properly sanitize the X-Forwarded-For header before storing and displaying it. This stored XSS vulnerability allows unauthenticated attackers to inject limited-length scripts (constrained by a 20-character storage limit) that execute when administrators or other users view affected pages. The CVSS 3.1 vector indicates network attack vector, low attack complexity, low privileges required, no user interaction, and changed scope with low confidentiality and integrity impact.

Defensive priority

medium

Recommended defensive actions

• Upgrade the AI Chatbot & Workflow Automation by AIWU plugin to version 1.4.15 or later
• Review access logs for anomalous X-Forwarded-For header values containing script tags or encoded payloads
• Implement Web Application Firewall (WAF) rules to sanitize or block suspicious X-Forwarded-For header content
• Audit plugin settings and database entries for unexpected script injections in visitor log or analytics tables
• Consider additional output encoding for any plugin-displayed header-derived data

Evidence notes

The vulnerability description and CVSS vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) are sourced from the official NVD record. The Wordfence advisory and plugin changeset confirm the affected component and remediation path. The 20-character storage limit is explicitly noted in the CVE description as a practical constraint on exploitation.

Official resources