Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty < 3.5.2 – Unauthenticated Information Exposure | CVE 2026-27370 | Plugin Vulnerabilities

Description

The Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.1. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

Affects Plugins

Fixed in 3.5.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/fac8669b-84c0-4388-8e3e-cd1be2ae5ba3

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

daroo

Verified

No

WPVDB ID

760d5837-21f2-4755-841c-6c46dfd6e2d4

Timeline

Publicly Published

2026-02-24 (about 2 months ago)

Added

2026-03-05 (about 2 months ago)

Last Updated

2026-03-05 (about 2 months ago)

Other

Published

Title

Published

2023-10-03

Title

WP Ultimate Exporter < 2.4.2 - Unauthenticated Information Disclosure

Published

2026-05-12

Title

Broadstreet < 1.53.2 - Authenticated (Subscriber+) Information Disclosure

Published

2024-12-13

Title

Tickera – WordPress Event Ticketing < 3.5.4.9 - Unauthenticated Customer Data Exposure

Published

2023-11-30

Title

CF7 Google Sheets Connector < 5.0.6 - Unauthenticated Sensitive Information Exposure via Debug Log

Published

2022-01-03

Title

Document Embedder < 1.7.9 - Subscriber+ Arbitrary Private/Draft Post Title Disclosure