Chaty < 3.1.3 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings | CVE 2023-47759 | Plugin Vulnerabilities

Description

The Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

Fixed in 3.1.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/361deac0-f675-432c-b7d2-b99f168d476d

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

emad

Verified

No

WPVDB ID

bdf5b9e9-0903-495d-aaad-dab1dba629a7

Timeline

Publicly Published

2023-11-13 (about 2 years ago)

Added

2023-11-24 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2025-09-22

Title

WordPress Widgets Shortcode <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2020-02-17

Title

Fruitful Theme < 3.8.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)

Published

2021-08-09

Title

WPFront Notification Bar < 2.1.0.08087 - Authenticated Stored XSS

Published

2015-05-06

Title

ClickBank Affiliate Ads < 1.35 - Admin+ Stored Cross-Site Scripting

Published

2025-04-01

Title

Arrow Custom Feed for Twitter <= 1.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting