WordPress Plugin Vulnerabilities

WATI Chat and Notification < 1.1.5 - Stored XSS via CSRF

Description

The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
wati-chat-and-notification
Fixed in 1.1.5

References

CVE
CVE-2025-28925
URL
https://patchstack.com/database/wordpress/plugin/wati-chat-and-notification/vulnerability/wordpress-wati-chat-and-notification-plugin-1-1-2-csrf-to-stored-cross-site-scripting-xss-vulnerability

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Nguyen Xuan Chien
Verified
No
WPVDB ID
f836a454-5ec8-45c9-a7c8-0f323310b51e

Timeline

Publicly Published
2025-03-11 (about 1 year ago)
Added
2025-03-17 (about 1 year ago)
Last Updated
2025-03-19 (about 1 year ago)

Other

Published
Title
Published
2015-02-11
Title
WPBook <= 3.7 - Cross-Site Request Forgery (CSRF)
Published
2022-11-21
Title
Booster for WooCommerce - Custom Role Creation/Deletion via CSRF
Published
2023-11-03
Title
Email Templates < 1.4.3 - Email Sending via CSRF
Published
2025-01-20
Title
WP-BibTeX < 3.0.2 - Cross-Site Request Forgery to Stored and Reflected Cross-Site Scripting
Published
2022-08-16
Title
Affiliates Manager < 2.9.14 - Arbitrary Affiliates & Creatives Deletion via CSRF