Chaty < 2.8.3 - Reflected Cross-Site Scripting
CVE-2021-25016

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Floating Chat Widget: Contact Icons, Messages, Telegram, Email, Sms, Call Button – Chaty; Floating Chat Widget Pro - Chaty Pro
Vendor: CVE Published:; 3 January 2022

Summary

The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting

Affected Version(s)

Floating Chat Widget Pro - Chaty Pro 2.8.2

Floating Chat Widget: Contact Icons, Messages, Telegram, Email, SMS, Call Button – Chaty 2.8.3

References

https://wpscan.com/vulnerability/b5035987-6227-4fc6-bc45-...

x_refsource_MISC

EPSS Score

13% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 3, 2022
Vulnerability Reserved
Jan 14, 2021

Credit

Krzysztof Zając