CVE-2025-1450: Stored XSS Vulnerability in Floating Chat Widget for WordPress - Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty Plugin (up to Version 3.3.5)

A new vulnerability, identified as CVE-2025-1450, has been discovered in the Floating Chat Widget – Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty Plugin for WordPress, which affects all versions up to and including 3.3.5. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts that would execute on an infected page, resulting in a stored Cross-Site Scripting (XSS) attack.

Vulnerability Details

The vulnerability is caused by insufficient input sanitization and output escaping when processing the data-hover parameter in the plugin. Attackers can exploit this vulnerability by injecting malicious web scripts that would be executed whenever a user accesses an infected page.

Here's a demonstration of the vulnerable code (supposed to be provided by plugin developers)

// Inserting the chat icon and handling the data-hover parameter
function chaty_insert_chat_icon($channel, $icon) {
    $output = '<div class="chaty-widget '.$channel.'-icon" data-hover="'.$icon['hover_text'].'">';
    // ...
}

In the "Chaty Settings" tab, they enter their payload in the "Tooltip Text" field, for instance

<script>alert('XSS');</script>

The attacker saves the settings and logs out.

5. When a user visits a page on the website, the attacker's script will execute, displaying an alert message with "XSS". This is a proof-of-concept example; the attacker could inject any script they want, potentially stealing sensitive information or hijacking user accounts.

For more information, check out these links

1. CVE-2025-1450 Details on CVE Hub
2. Plugin Vulnerability Announcement
3. WordPress.org Plugin Repository

Mitigation

Users of the vulnerable Floating Chat Widget should update their plugin immediately to version 3.3.6 or later, which contains a fix for this vulnerability. We also recommend all WordPress administrators to implement a robust plugin update policy and ensure that their user access privileges follow the principle of least privilege.

Here are some suggested countermeasures

1. Regularly check WordPress plugin repositories and developers' websites for announcements and updates.

Install security plugins that can help identify and block potential XSS attacks.

Stay safe, and protect your website by keeping your plugins up-to-date and following best security practices!

Timeline

Published on: 02/27/2025 10:15:10 UTC