cleantalk
Vulnerabilities and Security Researches

Collect.chat – Chatbot ⚡️, CVE-2026-0736

CVE, Research URL

CVE-2026-0736

Home page URL

Security reports for Collect.chat – Chatbot ⚡️

Application

Collect.chat – Chatbot ⚡️

Published on
Feb 14, 2026
Research Description
The Chatbot for WordPress by Collect.chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_inpost_head_script[synth_header_script]' post meta field in all versions up to, and including, 2.4.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 2.4.9.
Status
vulnerable
Previous vulnerability researches
Happy Addons for Elementor (CVE-2025-68999) , Feb 27, 2026
Happy Addons for Elementor (CVE-2025-30766) , Apr 02, 2025
Happy Addons for Elementor (CVE-2024-5647) , Apr 13, 2026
Happy Addons for Elementor (CVE-2024-10538) , Nov 14, 2024
Happy Addons for Elementor (CVE-2024-12852) , Jan 09, 2025
New vulnerability
PostmarkApp Email Integrator (CVE-2026-1043) , Apr 16, 2026
Name Directory (CVE-2026-1866) , Apr 15, 2026
Name Directory (CVE-2026-3178) , Apr 15, 2026
Online Ordering System For Restaurants & Local Retail by Orderable (CVE-2026-0974) , Apr 15, 2026
Geo Mashup (CVE-2026-2416) , Apr 15, 2026