CVE-2025-3670 identifies a stored cross-site scripting (XSS) vulnerability in the KiwiChat NextClient plugin for WordPress, present in all versions up to and including 6.2. The vulnerability arises from improper neutralization of input during web page generation, specifically due to insufficient sanitization and output escaping of the 'url' parameter. This flaw allows authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code into pages served by the plugin. Because the injected scripts are stored persistently, they execute automatically whenever any user views the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability is classified under CWE-79, a common web application security weakness. The CVSS v3.1 base score is 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, privileges required at the contributor level, no user interaction needed, and a scope change indicating that the vulnerability affects components beyond the initially compromised privilege boundary. No public exploits have been reported yet, but the vulnerability is publicly disclosed and enriched by CISA. The lack of available patches at the time of disclosure necessitates immediate attention from administrators. Given WordPress’s widespread use and the plugin’s role in chat functionality, this vulnerability could be leveraged to target site users and administrators alike.

The primary impact of CVE-2025-3670 is the compromise of user confidentiality and integrity through stored XSS attacks. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of any user visiting the infected pages, potentially leading to session hijacking, credential theft, unauthorized actions, or distribution of malware. This can erode user trust, damage organizational reputation, and lead to data breaches. Since the vulnerability does not affect availability directly, denial-of-service impacts are minimal. However, the scope change in the CVSS vector indicates that the vulnerability can affect components beyond the initial privilege boundary, increasing the risk profile. Organizations running WordPress sites with KiwiChat NextClient installed are at risk, especially those with multiple contributors or public-facing chat features. The medium severity score suggests a moderate but actionable threat that could be exploited in targeted attacks or automated campaigns once exploits become available. The absence of known exploits currently limits immediate widespread impact but does not preclude future exploitation.

To mitigate CVE-2025-3670, organizations should first check for and apply any official patches or updates released by the KiwiChat vendor as soon as they become available. In the absence of patches, administrators should consider temporarily disabling the KiwiChat NextClient plugin or restricting contributor-level access to trusted users only. Implementing a web application firewall (WAF) with custom rules to detect and block suspicious payloads in the 'url' parameter can help reduce exploitation risk. Additionally, site owners should enforce strict content security policies (CSP) to limit the execution of unauthorized scripts. Regularly auditing user permissions and monitoring logs for unusual activity related to the plugin can provide early detection of exploitation attempts. Developers maintaining the plugin should adopt secure coding practices, including proper input validation and output encoding, to prevent similar vulnerabilities in future releases. Finally, educating contributors about the risks of injecting untrusted content and encouraging the use of safe input methods can reduce attack surface.