CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26776 – WordPress Chaty Pro Plugin <= 3.3.3 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2025-26776
14 Feb 2025 — Unrestricted Upload of File with Dangerous Type vulnerability in NotFound Chaty Pro allows Upload a Web Shell to a Web Server. This issue affects Chaty Pro: from n/a through 3.3.3. The Chaty Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 3.3.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/wordpress/plugin/chaty-pro/vulnerability/wordpress-chaty-pro-plugin-3-3-3-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 17%CPEs: 2EXPL: 1CVE-2021-25016 – Chaty < 2.8.3 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-25016
06 Dec 2021 — The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting El plugin Chaty de WordPress versiones anteriores a 2.8.3 y el plugin Chaty Pro de WordPress versiones anteriores a 2.8.2, no sanean y escapan el parámetro search antes de devolverlo al panel de administración, conllevando a un problema de tipo Cross-Site Scripting Reflejado • https://wpscan.com/vulnerability/b5035987-6227-4fc6-bc45-1e8016e5c4c0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •