CVE-2025-3670 KiwiChat NextClient

CVE-2025-3670 KiwiChat NextClient <= 6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter

May 2, 2025 invoker category_cve

Vulnerability Details

Basic Information

Title	CVE-2025-3670 KiwiChat NextClient <= 6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter
Type	cvelist
Published	2025-05-02T01:43:36
Last Seen	2025-05-02T02:29:01
CVSS Score	6.4 (MEDIUM)

CVSS v3 Details

Attack Vector	NETWORK
Attack Complexity	LOW
Privileges Required	LOW
User Interaction	NONE
Scope	CHANGED
Confidentiality Impact	LOW
Integrity Impact	LOW
Availability Impact	NONE

CVE Information

CVE IDs	CVE-2025-3670
CWE	CWE-79
Bulletin Family	cve

Description

The KiwiChat NextClient plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 6.2 due to insufficient input sanitization and output escaping. This makes it possible…

Impact Assessment

Base Score	6.4
Severity	MEDIUM

View full CVE details