CVE-2026-40765: WordPress collectchat plugin <= 2.4.9 - Cross Site Scripting (XSS) vulnerability
Unauthenticated Cross Site Scripting (XSS) in collectchat <= 2.4.9 versions.
Metrics
- CVSS v3.1
- 7.1
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A reflected or stored cross-site scripting (XSS) vulnerability exists in the WordPress collectchat plugin, versions 2.4.9 and earlier. The flaw is reachable over the network without any authentication, but requires a victim to interact with a crafted link or page. Successful exploitation lets an attacker execute arbitrary JavaScript in the victim's browser session, enabling session theft, page content manipulation, and limited service disruption. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection for CVE-2026-40765 is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack advisory, within minutes of publication and matched against all customer images, including custom-built images that bundle the collectchat plugin. Coverage applies to both registry scans and in-pipeline image checks.
AvailableHarborGuard is capable of scoring this CVE at 7.1 HIGH (CVSS v3.1) and weighting that score against each environment's compliance policy to reflect actual risk tolerance. Triage findings are routed to the inbox configured for the affected workload within each customer organization.
AvailableNo fix version has been published upstream for this CVE. HarborGuard re-checks the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the affected WordPress site over the network; local or physical access is not required.
- AuthenticationNot required
No account or credentials are needed; the vulnerability is exploitable by any unauthenticated user.
- Victim interactionRequired
A victim must be socially engineered into clicking a crafted link or visiting a malicious page that triggers the XSS payload.
- Attack complexityDetail
Exploit conditions are straightforward and reliable; no race conditions or special environmental factors must be met.
Blast Radius
- Reads session cookies or authentication tokens stored in the victim's browser, enabling account hijacking.
- Injects and executes arbitrary JavaScript in the victim's browser session within the context of the WordPress site.
- Modifies page content visible to the victim, enabling phishing or credential-harvesting overlays.
- Triggers limited disruption of the victim's interaction with the affected WordPress site.
How HarborGuard Handles This
Available on HarborGuard: scanning for CVE-2026-40765 is active across all connected registries and build pipelines. Because no upstream fix exists yet, HarborGuard monitors the Patchstack advisory on every ingest cycle and will surface a patched-image rebuild the moment a fix version is published. In the meantime, customers can apply compensating controls through network-policy isolation (restricting public exposure of the WordPress instance), egress filtering to limit what JavaScript can reach from within the browser context, and disabling or removing the collectchat plugin entirely where its functionality is not required. For customers with auto-remediation enabled, the rebuild, regression run, and patch PR will be triggered automatically once an upstream fix is available, with no manual steps needed.
- collectchat / collectchat≤ 2.4.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L