Stored Cross-Site Scripting Vulnerability in Chatra Live Chat Plugin for WordPress
CVE-2026-12041

4.4MEDIUM

What is CVE-2026-12041?

The Chatra Live Chat + ChatBot + Cart Saver plugin for WordPress is susceptible to a stored cross-site scripting vulnerability through its admin settings. This issue arises due to inadequate input sanitization and output escaping, allowing authenticated users with administrative privileges to embed malicious web scripts within pages. As a result, these scripts are executed every time a user visits any compromised page. This vulnerability particularly impacts multi-site installations where the option 'unfiltered_html' is disabled.

Affected Version(s)

Chatra Live Chat + ChatBot + Cart Saver 0 <= 1.0.12

References

CVSS V3.1

Score:
4.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Simon Tran
.