WordPress Plugin Vulnerabilities

Chaty Pro < 3.3.4 - Unauthenticated Arbitrary File Upload

Description

The Chaty Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 3.3.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Plugin icon
chaty-pro
Fixed in 3.3.4

References

CVE
CVE-2025-26776
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/63f3aa9e-2d82-440b-b37c-211dc3b5d26d

Miscellaneous

Original Researcher
luc
Verified
No
WPVDB ID
e7a80690-ba63-4fcf-986f-277fea98af77

Timeline

Publicly Published
2025-02-14 (about 1 year ago)
Added
2025-02-26 (about 1 year ago)
Last Updated
2025-02-26 (about 1 year ago)

Other

Published
Title
Published
2026-03-23
Title
Ona < 1.24 - Authenticated (Subscriber+) Arbitrary File Upload
Published
2024-10-24
Title
SurveyJS: Drag & Drop WordPress Form Builder < 1.12.4 - Authenticated (Subscriber+) Arbitrary File Upload
Published
2025-12-05
Title
Flex QR Code Generator < 1.2.8 - Unauthenticated Arbitrary File Upload
Published
2014-08-01
Title
Echelon - media-upload.php Remote File Upload
Published
2014-08-01
Title
wp-3dflick-slideshow - Arbitrary File Upload