WordPress Plugin Vulnerabilities

Floating Chat Widget < 2.8.4 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

Affects Plugins

Plugin icon
chaty
Fixed in 2.8.4

References

CVE
CVE-2021-36846
URL
https://www.hackpertise.com/cve/34-cve-2021-36846/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.8 (medium)

Miscellaneous

Original Researcher
Asif Nawaz Minhas
Verified
No
WPVDB ID
e674e7a2-c216-48fa-8be7-02079c7ffdcb

Timeline

Publicly Published
2022-04-08 (about 4 years ago)
Added
2022-04-12 (about 4 years ago)
Last Updated
2023-04-12 (about 3 years ago)

Other

Published
Title
Published
2023-03-27
Title
Albo Pretorio Online < 4.6.1 - Reflected XSS
Published
2024-11-22
Title
Memberlite Shortcodes < 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via memberlite_accordion Shortcode
Published
2017-12-05
Title
WP Mailster <= 1.5.4 - Unauthenticated Cross-Site Scripting (XSS)
Published
2025-10-21
Title
This-or-That by André Boekhorst <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-11-04
Title
Dashing Memberships <= 1.1 - Reflected Cross-Site Scripting