Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
14 vulnerabilities found for chaty by premio
CVE-2026-27370 (GCVE-0-2026-27370)
Vulnerability from nvd – Published: 2026-03-05 05:53 – Updated: 2026-04-01 14:15
VLAI?
Title
WordPress Chaty plugin <= 3.5.1 - Sensitive Data Exposure vulnerability
Summary
Insertion of Sensitive Information Into Sent Data vulnerability in Premio Chaty chaty allows Retrieve Embedded Sensitive Data.This issue affects Chaty: from n/a through <= 3.5.1.
Severity ?
7.5 (High)
CWE
- CWE-201 - Insertion of Sensitive Information Into Sent Data
Assigner
References
| URL | Tags | |
|---|---|---|
Date Public ?
2026-04-01 16:05
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-27370",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T18:56:12.793900Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T18:56:18.501Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "chaty",
"product": "Chaty",
"vendor": "Premio",
"versions": [
{
"changes": [
{
"at": "3.5.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.5.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "daroo | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:05:17.453Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insertion of Sensitive Information Into Sent Data vulnerability in Premio Chaty chaty allows Retrieve Embedded Sensitive Data.\u003cp\u003eThis issue affects Chaty: from n/a through \u003c= 3.5.1.\u003c/p\u003e"
}
],
"value": "Insertion of Sensitive Information Into Sent Data vulnerability in Premio Chaty chaty allows Retrieve Embedded Sensitive Data.This issue affects Chaty: from n/a through \u003c= 3.5.1."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "Retrieve Embedded Sensitive Data"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:15:12.467Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/chaty/vulnerability/wordpress-chaty-plugin-3-5-1-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"title": "WordPress Chaty plugin \u003c= 3.5.1 - Sensitive Data Exposure vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-27370",
"datePublished": "2026-03-05T05:53:55.991Z",
"dateReserved": "2026-02-19T09:51:54.220Z",
"dateUpdated": "2026-04-01T14:15:12.467Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-47759 (GCVE-0-2023-47759)
Vulnerability from nvd – Published: 2023-11-22 19:49 – Updated: 2026-04-23 13:50
VLAI?
Title
WordPress Chaty plugin <= 3.1.2 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Premio Chaty chaty allows DOM-Based XSS.This issue affects Chaty: from n/a through <= 3.1.2.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Date Public ?
2026-04-22 14:44
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:16:43.678Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/chaty/wordpress-chaty-plugin-3-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-47759",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-01T14:22:59.388715Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-01T15:49:13.420Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "chaty",
"product": "Chaty",
"vendor": "Premio",
"versions": [
{
"changes": [
{
"at": "3.1.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.1.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "emad | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-22T14:44:15.568Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Premio Chaty chaty allows DOM-Based XSS.\u003cp\u003eThis issue affects Chaty: from n/a through \u003c= 3.1.2.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Premio Chaty chaty allows DOM-Based XSS.This issue affects Chaty: from n/a through \u003c= 3.1.2."
}
],
"impacts": [
{
"capecId": "CAPEC-588",
"descriptions": [
{
"lang": "en",
"value": "DOM-Based XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T13:50:39.835Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/chaty/vulnerability/wordpress-chaty-plugin-3-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Chaty plugin \u003c= 3.1.2 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-47759",
"datePublished": "2023-11-22T19:49:29.305Z",
"dateReserved": "2023-11-09T18:57:40.988Z",
"dateUpdated": "2026-04-23T13:50:39.835Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-25019 (GCVE-0-2023-25019)
Vulnerability from nvd – Published: 2023-08-30 11:51 – Updated: 2024-09-24 19:23
VLAI?
Title
WordPress Chaty Plugin <= 3.0.9 is vulnerable to Cross Site Scripting (XSS)
Summary
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Premio Chaty plugin <= 3.0.9 versions
Severity ?
7.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:11:43.524Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/chaty/wordpress-chaty-plugin-3-0-9-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25019",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-24T19:18:55.730548Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T19:23:44.121Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "chaty",
"product": "Chaty",
"vendor": "Premio",
"versions": [
{
"changes": [
{
"at": "3.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.0.9",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rafie Muhammad (Patchstack)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Premio Chaty plugin \u0026lt;=\u003cspan style=\"background-color: var(--wht);\"\u003e\u0026nbsp;3.0.9 versions\u003c/span\u003e"
}
],
"value": "Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Premio Chaty plugin \u003c=\u00a03.0.9 versions"
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-30T11:51:48.807Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/chaty/wordpress-chaty-plugin-3-0-9-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;3.1 or a higher version."
}
],
"value": "Update to\u00a03.1 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Chaty Plugin \u003c= 3.0.9 is vulnerable to Cross Site Scripting (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-25019",
"datePublished": "2023-08-30T11:51:48.807Z",
"dateReserved": "2023-02-02T09:58:48.539Z",
"dateUpdated": "2024-09-24T19:23:44.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3245 (GCVE-0-2023-3245)
Vulnerability from nvd – Published: 2023-07-17 13:29 – Updated: 2025-04-23 16:20
VLAI?
Title
Floating Chat Widget < 3.1.2 - Admin+ Stored Cross-Site Scripting
Summary
The Floating Chat Widget WordPress plugin before 3.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Severity ?
4.8 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button |
Affected:
0 , < 3.1.2
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:48:08.511Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/f9f8ae7e-6621-4e29-9257-b8306dbe8811"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-3245",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T16:07:42.744242Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:20:07.676Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.1.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dipak Panchal (th3.d1pak)"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Floating Chat Widget WordPress plugin before 3.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-17T13:29:56.180Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/f9f8ae7e-6621-4e29-9257-b8306dbe8811"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Floating Chat Widget \u003c 3.1.2 - Admin+ Stored Cross-Site Scripting",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2023-3245",
"datePublished": "2023-07-17T13:29:56.180Z",
"dateReserved": "2023-06-14T15:04:36.143Z",
"dateUpdated": "2025-04-23T16:20:07.676Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3858 (GCVE-0-2022-3858)
Vulnerability from nvd – Published: 2022-12-05 16:50 – Updated: 2025-04-23 14:58
VLAI?
Title
Chaty < 3.0.3 - Admin+ SQLi
Summary
The Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line, WeChat, Email, SMS, Call Button WordPress plugin before 3.0.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as admin.
Severity ?
7.2 (High)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line, WeChat, Email, SMS, Call Button |
Affected:
0 , < 3.0.3
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:20:58.467Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/d251b6c1-602b-4d72-9d6a-bf5d5ec541ec"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-3858",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:58:07.283537Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T14:58:43.875Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line, WeChat, Email, SMS, Call Button",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.0.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nguyen Duy Quoc Khanh"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line, WeChat, Email, SMS, Call Button WordPress plugin before 3.0.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as admin."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-05T16:50:40.032Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/d251b6c1-602b-4d72-9d6a-bf5d5ec541ec"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Chaty \u003c 3.0.3 - Admin+ SQLi",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-3858",
"datePublished": "2022-12-05T16:50:40.032Z",
"dateReserved": "2022-11-04T08:38:15.505Z",
"dateUpdated": "2025-04-23T14:58:43.875Z",
"requesterUserId": "dc9e157c-ddf1-4983-adaf-9f01d16b5e04",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36846 (GCVE-0-2021-36846)
Vulnerability from nvd – Published: 2022-04-11 19:37 – Updated: 2025-02-20 20:28
VLAI?
Title
WordPress Chaty plugin <= 2.8.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Summary
Authenticated (admin or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in Premio Chaty (WordPress plugin) <= 2.8.3
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Premio | Chaty (WordPress plugin) |
Affected:
<= 2.8.3 , ≤ 2.8.3
(custom)
|
Date Public ?
2022-04-07 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:59.774Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/chaty/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/chaty/wordpress-chaty-plugin-2-8-3-authenticated-stored-cross-site-scripting-xss-vulnerability"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-36846",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:32:04.282425Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T20:28:13.632Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Chaty (WordPress plugin)",
"vendor": "Premio",
"versions": [
{
"lessThanOrEqual": "2.8.3",
"status": "affected",
"version": "\u003c= 2.8.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Asif Nawaz Minhas (Patchstack Alliance)"
}
],
"datePublic": "2022-04-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Authenticated (admin or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in Premio Chaty (WordPress plugin) \u003c= 2.8.3"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-11T19:37:41.000Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/chaty/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://patchstack.com/database/vulnerability/chaty/wordpress-chaty-plugin-2-8-3-authenticated-stored-cross-site-scripting-xss-vulnerability"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Chaty plugin \u003c= 2.8.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2022-04-07T22:27:00.000Z",
"ID": "CVE-2021-36846",
"STATE": "PUBLIC",
"TITLE": "WordPress Chaty plugin \u003c= 2.8.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Chaty (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 2.8.3",
"version_value": "2.8.3"
}
]
}
}
]
},
"vendor_name": "Premio"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vulnerability discovered by Asif Nawaz Minhas (Patchstack Alliance)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Authenticated (admin or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in Premio Chaty (WordPress plugin) \u003c= 2.8.3"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/chaty/",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/chaty/"
},
{
"name": "https://patchstack.com/database/vulnerability/chaty/wordpress-chaty-plugin-2-8-3-authenticated-stored-cross-site-scripting-xss-vulnerability",
"refsource": "CONFIRM",
"url": "https://patchstack.com/database/vulnerability/chaty/wordpress-chaty-plugin-2-8-3-authenticated-stored-cross-site-scripting-xss-vulnerability"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2021-36846",
"datePublished": "2022-04-11T19:37:41.707Z",
"dateReserved": "2021-07-19T00:00:00.000Z",
"dateUpdated": "2025-02-20T20:28:13.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-25016 (GCVE-0-2021-25016)
Vulnerability from nvd – Published: 2022-01-03 12:49 – Updated: 2024-08-03 19:49
VLAI?
Title
Chaty < 2.8.3 - Reflected Cross-Site Scripting
Summary
The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Unknown | Floating Chat Widget: Contact Icons, Messages, Telegram, Email, SMS, Call Button – Chaty |
Affected:
2.8.3 , < 2.8.3
(custom)
|
|||||||
|
|||||||||
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:49:14.553Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/b5035987-6227-4fc6-bc45-1e8016e5c4c0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Floating Chat Widget: Contact Icons, Messages, Telegram, Email, SMS, Call Button \u2013 Chaty",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.8.3",
"status": "affected",
"version": "2.8.3",
"versionType": "custom"
}
]
},
{
"product": "Floating Chat Widget Pro - Chaty Pro",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.8.2",
"status": "affected",
"version": "2.8.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Krzysztof Zaj\u0105c"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-03T12:49:12.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/b5035987-6227-4fc6-bc45-1e8016e5c4c0"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Chaty \u003c 2.8.3 - Reflected Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-25016",
"STATE": "PUBLIC",
"TITLE": "Chaty \u003c 2.8.3 - Reflected Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Floating Chat Widget: Contact Icons, Messages, Telegram, Email, SMS, Call Button \u2013 Chaty",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.8.3",
"version_value": "2.8.3"
}
]
}
},
{
"product_name": "Floating Chat Widget Pro - Chaty Pro",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.8.2",
"version_value": "2.8.2"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Krzysztof Zaj\u0105c"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/b5035987-6227-4fc6-bc45-1e8016e5c4c0",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/b5035987-6227-4fc6-bc45-1e8016e5c4c0"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-25016",
"datePublished": "2022-01-03T12:49:12.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:49:14.553Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-27370 (GCVE-0-2026-27370)
Vulnerability from cvelistv5 – Published: 2026-03-05 05:53 – Updated: 2026-04-01 14:15
VLAI?
Title
WordPress Chaty plugin <= 3.5.1 - Sensitive Data Exposure vulnerability
Summary
Insertion of Sensitive Information Into Sent Data vulnerability in Premio Chaty chaty allows Retrieve Embedded Sensitive Data.This issue affects Chaty: from n/a through <= 3.5.1.
Severity ?
7.5 (High)
CWE
- CWE-201 - Insertion of Sensitive Information Into Sent Data
Assigner
References
| URL | Tags | |
|---|---|---|
Date Public ?
2026-04-01 16:05
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-27370",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T18:56:12.793900Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T18:56:18.501Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "chaty",
"product": "Chaty",
"vendor": "Premio",
"versions": [
{
"changes": [
{
"at": "3.5.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.5.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "daroo | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:05:17.453Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insertion of Sensitive Information Into Sent Data vulnerability in Premio Chaty chaty allows Retrieve Embedded Sensitive Data.\u003cp\u003eThis issue affects Chaty: from n/a through \u003c= 3.5.1.\u003c/p\u003e"
}
],
"value": "Insertion of Sensitive Information Into Sent Data vulnerability in Premio Chaty chaty allows Retrieve Embedded Sensitive Data.This issue affects Chaty: from n/a through \u003c= 3.5.1."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "Retrieve Embedded Sensitive Data"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:15:12.467Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/chaty/vulnerability/wordpress-chaty-plugin-3-5-1-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"title": "WordPress Chaty plugin \u003c= 3.5.1 - Sensitive Data Exposure vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-27370",
"datePublished": "2026-03-05T05:53:55.991Z",
"dateReserved": "2026-02-19T09:51:54.220Z",
"dateUpdated": "2026-04-01T14:15:12.467Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-47759 (GCVE-0-2023-47759)
Vulnerability from cvelistv5 – Published: 2023-11-22 19:49 – Updated: 2026-04-23 13:50
VLAI?
Title
WordPress Chaty plugin <= 3.1.2 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Premio Chaty chaty allows DOM-Based XSS.This issue affects Chaty: from n/a through <= 3.1.2.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Date Public ?
2026-04-22 14:44
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:16:43.678Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/chaty/wordpress-chaty-plugin-3-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-47759",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-01T14:22:59.388715Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-01T15:49:13.420Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "chaty",
"product": "Chaty",
"vendor": "Premio",
"versions": [
{
"changes": [
{
"at": "3.1.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.1.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "emad | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-22T14:44:15.568Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Premio Chaty chaty allows DOM-Based XSS.\u003cp\u003eThis issue affects Chaty: from n/a through \u003c= 3.1.2.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Premio Chaty chaty allows DOM-Based XSS.This issue affects Chaty: from n/a through \u003c= 3.1.2."
}
],
"impacts": [
{
"capecId": "CAPEC-588",
"descriptions": [
{
"lang": "en",
"value": "DOM-Based XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T13:50:39.835Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/chaty/vulnerability/wordpress-chaty-plugin-3-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Chaty plugin \u003c= 3.1.2 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-47759",
"datePublished": "2023-11-22T19:49:29.305Z",
"dateReserved": "2023-11-09T18:57:40.988Z",
"dateUpdated": "2026-04-23T13:50:39.835Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-25019 (GCVE-0-2023-25019)
Vulnerability from cvelistv5 – Published: 2023-08-30 11:51 – Updated: 2024-09-24 19:23
VLAI?
Title
WordPress Chaty Plugin <= 3.0.9 is vulnerable to Cross Site Scripting (XSS)
Summary
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Premio Chaty plugin <= 3.0.9 versions
Severity ?
7.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:11:43.524Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/chaty/wordpress-chaty-plugin-3-0-9-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25019",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-24T19:18:55.730548Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T19:23:44.121Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "chaty",
"product": "Chaty",
"vendor": "Premio",
"versions": [
{
"changes": [
{
"at": "3.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.0.9",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rafie Muhammad (Patchstack)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Premio Chaty plugin \u0026lt;=\u003cspan style=\"background-color: var(--wht);\"\u003e\u0026nbsp;3.0.9 versions\u003c/span\u003e"
}
],
"value": "Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Premio Chaty plugin \u003c=\u00a03.0.9 versions"
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-30T11:51:48.807Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/chaty/wordpress-chaty-plugin-3-0-9-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;3.1 or a higher version."
}
],
"value": "Update to\u00a03.1 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Chaty Plugin \u003c= 3.0.9 is vulnerable to Cross Site Scripting (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-25019",
"datePublished": "2023-08-30T11:51:48.807Z",
"dateReserved": "2023-02-02T09:58:48.539Z",
"dateUpdated": "2024-09-24T19:23:44.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3245 (GCVE-0-2023-3245)
Vulnerability from cvelistv5 – Published: 2023-07-17 13:29 – Updated: 2025-04-23 16:20
VLAI?
Title
Floating Chat Widget < 3.1.2 - Admin+ Stored Cross-Site Scripting
Summary
The Floating Chat Widget WordPress plugin before 3.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Severity ?
4.8 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button |
Affected:
0 , < 3.1.2
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:48:08.511Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/f9f8ae7e-6621-4e29-9257-b8306dbe8811"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-3245",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T16:07:42.744242Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:20:07.676Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.1.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dipak Panchal (th3.d1pak)"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Floating Chat Widget WordPress plugin before 3.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-17T13:29:56.180Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/f9f8ae7e-6621-4e29-9257-b8306dbe8811"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Floating Chat Widget \u003c 3.1.2 - Admin+ Stored Cross-Site Scripting",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2023-3245",
"datePublished": "2023-07-17T13:29:56.180Z",
"dateReserved": "2023-06-14T15:04:36.143Z",
"dateUpdated": "2025-04-23T16:20:07.676Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3858 (GCVE-0-2022-3858)
Vulnerability from cvelistv5 – Published: 2022-12-05 16:50 – Updated: 2025-04-23 14:58
VLAI?
Title
Chaty < 3.0.3 - Admin+ SQLi
Summary
The Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line, WeChat, Email, SMS, Call Button WordPress plugin before 3.0.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as admin.
Severity ?
7.2 (High)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line, WeChat, Email, SMS, Call Button |
Affected:
0 , < 3.0.3
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:20:58.467Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/d251b6c1-602b-4d72-9d6a-bf5d5ec541ec"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-3858",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:58:07.283537Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T14:58:43.875Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line, WeChat, Email, SMS, Call Button",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.0.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nguyen Duy Quoc Khanh"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line, WeChat, Email, SMS, Call Button WordPress plugin before 3.0.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as admin."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-05T16:50:40.032Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/d251b6c1-602b-4d72-9d6a-bf5d5ec541ec"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Chaty \u003c 3.0.3 - Admin+ SQLi",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-3858",
"datePublished": "2022-12-05T16:50:40.032Z",
"dateReserved": "2022-11-04T08:38:15.505Z",
"dateUpdated": "2025-04-23T14:58:43.875Z",
"requesterUserId": "dc9e157c-ddf1-4983-adaf-9f01d16b5e04",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36846 (GCVE-0-2021-36846)
Vulnerability from cvelistv5 – Published: 2022-04-11 19:37 – Updated: 2025-02-20 20:28
VLAI?
Title
WordPress Chaty plugin <= 2.8.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Summary
Authenticated (admin or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in Premio Chaty (WordPress plugin) <= 2.8.3
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Premio | Chaty (WordPress plugin) |
Affected:
<= 2.8.3 , ≤ 2.8.3
(custom)
|
Date Public ?
2022-04-07 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:59.774Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/chaty/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/chaty/wordpress-chaty-plugin-2-8-3-authenticated-stored-cross-site-scripting-xss-vulnerability"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-36846",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:32:04.282425Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T20:28:13.632Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Chaty (WordPress plugin)",
"vendor": "Premio",
"versions": [
{
"lessThanOrEqual": "2.8.3",
"status": "affected",
"version": "\u003c= 2.8.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Asif Nawaz Minhas (Patchstack Alliance)"
}
],
"datePublic": "2022-04-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Authenticated (admin or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in Premio Chaty (WordPress plugin) \u003c= 2.8.3"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-11T19:37:41.000Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/chaty/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://patchstack.com/database/vulnerability/chaty/wordpress-chaty-plugin-2-8-3-authenticated-stored-cross-site-scripting-xss-vulnerability"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Chaty plugin \u003c= 2.8.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2022-04-07T22:27:00.000Z",
"ID": "CVE-2021-36846",
"STATE": "PUBLIC",
"TITLE": "WordPress Chaty plugin \u003c= 2.8.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Chaty (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 2.8.3",
"version_value": "2.8.3"
}
]
}
}
]
},
"vendor_name": "Premio"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vulnerability discovered by Asif Nawaz Minhas (Patchstack Alliance)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Authenticated (admin or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in Premio Chaty (WordPress plugin) \u003c= 2.8.3"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/chaty/",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/chaty/"
},
{
"name": "https://patchstack.com/database/vulnerability/chaty/wordpress-chaty-plugin-2-8-3-authenticated-stored-cross-site-scripting-xss-vulnerability",
"refsource": "CONFIRM",
"url": "https://patchstack.com/database/vulnerability/chaty/wordpress-chaty-plugin-2-8-3-authenticated-stored-cross-site-scripting-xss-vulnerability"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2021-36846",
"datePublished": "2022-04-11T19:37:41.707Z",
"dateReserved": "2021-07-19T00:00:00.000Z",
"dateUpdated": "2025-02-20T20:28:13.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-25016 (GCVE-0-2021-25016)
Vulnerability from cvelistv5 – Published: 2022-01-03 12:49 – Updated: 2024-08-03 19:49
VLAI?
Title
Chaty < 2.8.3 - Reflected Cross-Site Scripting
Summary
The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Unknown | Floating Chat Widget: Contact Icons, Messages, Telegram, Email, SMS, Call Button – Chaty |
Affected:
2.8.3 , < 2.8.3
(custom)
|
|||||||
|
|||||||||
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:49:14.553Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/b5035987-6227-4fc6-bc45-1e8016e5c4c0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Floating Chat Widget: Contact Icons, Messages, Telegram, Email, SMS, Call Button \u2013 Chaty",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.8.3",
"status": "affected",
"version": "2.8.3",
"versionType": "custom"
}
]
},
{
"product": "Floating Chat Widget Pro - Chaty Pro",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.8.2",
"status": "affected",
"version": "2.8.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Krzysztof Zaj\u0105c"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-03T12:49:12.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/b5035987-6227-4fc6-bc45-1e8016e5c4c0"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Chaty \u003c 2.8.3 - Reflected Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-25016",
"STATE": "PUBLIC",
"TITLE": "Chaty \u003c 2.8.3 - Reflected Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Floating Chat Widget: Contact Icons, Messages, Telegram, Email, SMS, Call Button \u2013 Chaty",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.8.3",
"version_value": "2.8.3"
}
]
}
},
{
"product_name": "Floating Chat Widget Pro - Chaty Pro",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.8.2",
"version_value": "2.8.2"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Krzysztof Zaj\u0105c"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/b5035987-6227-4fc6-bc45-1e8016e5c4c0",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/b5035987-6227-4fc6-bc45-1e8016e5c4c0"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-25016",
"datePublished": "2022-01-03T12:49:12.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:49:14.553Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}