CVE-2025-1450
📋 TL;DR
This vulnerability allows authenticated attackers with Contributor-level access or higher to inject malicious scripts into WordPress pages using the Chaty plugin. When users visit compromised pages, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. All WordPress sites using Chaty plugin versions up to 3.3.5 are affected.
💻 Affected Systems
- Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty plugin for WordPress
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, redirect users to malicious sites, deface websites, or perform actions on behalf of authenticated users.
Likely Case
Attackers inject malicious scripts to steal user session cookies or credentials, potentially gaining unauthorized access to the WordPress admin panel.
If Mitigated
With proper input validation and output escaping, the vulnerability is prevented, and only legitimate chat widget functionality operates.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once access is obtained. The vulnerability details are publicly documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.3.6 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3246336/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Chaty' plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 3.3.6+ from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Disable Chaty Plugin
allTemporarily disable the vulnerable plugin until patched.
wp plugin deactivate chaty
Restrict User Roles
allLimit Contributor and higher roles to trusted users only.
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block XSS payloads in 'data-hover' parameter
- Apply strict Content Security Policy (CSP) headers to limit script execution sources
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins → Chaty version. If version is 3.3.5 or lower, you are vulnerable.Check Version:
wp plugin get chaty --field=versionVerify Fix Applied:
After updating, verify Chaty plugin version is 3.3.6 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to WordPress admin-ajax.php with 'data-hover' parameter containing script tags
- Multiple failed login attempts followed by successful Contributor-level login
Network Indicators:
- HTTP requests containing malicious script payloads in 'data-hover' parameter
- Outbound connections to suspicious domains from WordPress pages
SIEM Query:
source="wordpress.log" AND ("data-hover" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload="))🔗 References
- https://plugins.trac.wordpress.org/browser/chaty/tags/3.3.4/js/cht-front-script.js#L389
- https://plugins.trac.wordpress.org/browser/chaty/tags/3.3.5/js/cht-front-script.min.js
- https://plugins.trac.wordpress.org/changeset/3246336/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a87d0966-3fd4-46f8-acd5-1cf0cb18af42?source=cve
