The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Steps to Reproduce:
1. Open Chaty Plugin Dashboard.
2. Click on "Create New Widget".
3. In "Step 1", select Custom Channel.
4. And type/paste the following Javascript payload in the link field.
javascript:alert(2);%22><img src=x onerror=alert(1);>
5. Save it and visit the website, you will get XSS popup.
You can also use `javascript:alert(2)` instead of the other payload and have the alert box show up when clicking on the generated link, at the bottom right of the site.