CVE-2023-3667 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WordPress plugin "Chat Button: WhatsApp Chat, Facebook Messenger, Telegram Chat, WeChat, Line Chat, Discord Chat for Customer Support Chat with floating Chat Widget," specifically in versions prior to 1.1.9. The vulnerability arises because the plugin fails to properly sanitize and escape certain settings inputs. This flaw allows users with high privileges, such as administrators, to inject malicious scripts that are persistently stored and later executed in the context of other users' browsers. Notably, this vulnerability can be exploited even when the WordPress capability 'unfiltered_html' is disabled, such as in multisite environments, which typically restricts the ability to post unfiltered HTML. The CVSS 3.1 base score is 4.8 (medium severity), reflecting that the attack vector is network-based (remote), requires high privileges, and user interaction is needed to trigger the malicious script. The impact includes limited confidentiality and integrity compromise but no direct availability impact. The vulnerability affects the confidentiality and integrity of data by enabling script execution that could steal session tokens, perform actions on behalf of users, or manipulate displayed content. No known exploits are reported in the wild, and no official patches or updates are linked yet, indicating that users should be cautious and implement mitigations proactively.

For European organizations, this vulnerability poses a moderate risk primarily to websites using this specific WordPress plugin for customer support chat integration. Exploitation could lead to session hijacking, unauthorized actions performed by administrators or other users, and potential data leakage through malicious scripts. Given that the vulnerability requires high privilege access to inject the payload, the initial compromise vector is likely limited to insiders or attackers who have already gained administrative access. However, once exploited, the stored XSS can affect multiple users, including site administrators and visitors, potentially leading to broader compromise of site integrity and user trust. Organizations in sectors with high customer interaction via web chat—such as e-commerce, financial services, and public services—may face reputational damage and regulatory scrutiny under GDPR if personal data is exposed or manipulated. The lack of a patch increases the urgency for mitigation, especially for sites with multisite WordPress configurations common in large enterprises and service providers across Europe.

1. Immediate mitigation includes restricting administrative access to trusted personnel only and auditing current admin accounts for suspicious activity. 2. Disable or remove the vulnerable plugin until a patched version is released. 3. Implement Web Application Firewall (WAF) rules to detect and block typical XSS payloads targeting the plugin’s settings fields. 4. Harden WordPress installations by enforcing the principle of least privilege, ensuring only necessary users have admin rights. 5. Monitor logs for unusual input patterns or script injections in plugin settings. 6. Educate administrators on the risks of injecting untrusted content into plugin configurations. 7. Regularly check for updates from the plugin vendor or WordPress security advisories to apply patches promptly once available. 8. Consider alternative, well-maintained chat plugins with robust security practices if continued chat functionality is critical.