WordPress Plugin Vulnerabilities

Chaport < 1.1.7 - Admin+ Stored XSS

Description

The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only impacts multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

Plugin icon
chaport
Fixed in 1.1.7

References

CVE
CVE-2025-30977
URL
https://patchstack.com/database/wordpress/plugin/chaport/vulnerability/wordpress-wp-live-chat-chatbots-plugin-for-wordpress-chaport-1-1-5-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
haudayroi
Verified
No
WPVDB ID
51de69bb-9d3b-40cf-9fbc-f3e40d01f310

Timeline

Publicly Published
2025-06-05 (about 11 months ago)
Added
2025-06-11 (about 11 months ago)
Last Updated
2025-09-24 (about 8 months ago)

Other

Published
Title
Published
2023-11-06
Title
QR Code Tag <= 1.0 - Contributor+ Stored XSS
Published
2015-05-25
Title
Free Counter 1.1 - Cross-Site Scripting (XSS)
Published
2016-08-05
Title
Store Locator Plus for WordPress <= 4.5.10 - Authenticated Cross-Site Scripting (XSS)
Published
2016-02-02
Title
MailPoet Newsletters < 2.7 - Unauthenticated Reflected Cross-Site Scripting (XSS)
Published
2024-11-08
Title
Wezido <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting