CVE-2023-3245 is a Stored Cross-Site Scripting (XSS) vulnerability identified in the Floating Chat Widget WordPress plugin, which integrates multiple contact and chat icons such as Telegram, Line Messenger, WeChat, Email, SMS, and Call Button functionalities. The vulnerability exists in versions prior to 3.1.2 of the plugin. The root cause is the improper sanitization and escaping of certain plugin settings that can be manipulated by users with high privileges, specifically administrators. Even in WordPress multisite environments where the 'unfiltered_html' capability is disabled to restrict HTML input, this vulnerability allows an authenticated admin user to inject malicious scripts that are stored persistently. When other users or administrators access the affected pages, the malicious script executes in their browsers, potentially leading to session hijacking, privilege escalation, or further compromise of the WordPress environment. The CVSS v3.1 base score is 4.8 (medium severity), reflecting that exploitation requires network access, low attack complexity, high privileges, and user interaction (the victim must visit the infected page). The vulnerability impacts confidentiality and integrity but not availability. No known public exploits have been reported yet. The plugin’s unknown vendor and lack of patch links suggest limited vendor response or public disclosure details. The vulnerability is classified under CWE-79, which covers improper neutralization of input leading to XSS attacks. This issue is particularly relevant in environments where multiple administrators manage WordPress sites and where the plugin is widely deployed for customer engagement via chat widgets.

For European organizations using WordPress sites with the Floating Chat Widget plugin, this vulnerability poses a moderate risk. Attackers with admin access can embed malicious scripts that execute in the context of other administrators or privileged users, potentially leading to theft of authentication tokens, unauthorized actions, or further malware deployment. This can compromise the confidentiality and integrity of sensitive data managed via the WordPress backend. Organizations in sectors such as e-commerce, government, healthcare, and finance, which often rely on WordPress for public-facing sites and internal portals, could face reputational damage, regulatory scrutiny under GDPR for data breaches, and operational disruptions. Given the requirement for high privileges to exploit, the threat is less likely from external attackers without initial access but remains significant if insider threats or compromised admin accounts exist. The persistence of the stored XSS increases the risk of prolonged exploitation. Additionally, multisite WordPress deployments common in large enterprises or agencies may be particularly vulnerable due to the bypass of unfiltered_html restrictions. Overall, the impact is moderate but can escalate if combined with other vulnerabilities or social engineering attacks.

1. Immediate upgrade to Floating Chat Widget plugin version 3.1.2 or later where the vulnerability is fixed. If an upgrade is not immediately possible, disable or remove the plugin to eliminate exposure. 2. Restrict administrative privileges strictly to trusted personnel and enforce strong authentication mechanisms such as MFA to reduce risk of credential compromise. 3. Conduct a thorough audit of all stored settings and user inputs in the plugin configuration to identify and remove any suspicious or injected scripts. 4. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on WordPress admin pages. 5. Monitor WordPress logs and admin activity for unusual behavior or unexpected changes in plugin settings. 6. For multisite environments, review and tighten capability assignments and consider additional input validation layers or security plugins that sanitize inputs globally. 7. Educate administrators about the risks of stored XSS and safe plugin management practices. 8. Regularly backup WordPress sites and configurations to enable recovery from potential compromises. These steps go beyond generic advice by focusing on plugin-specific controls, administrative privilege management, and environment-specific hardening.