Vulnerability in Chaty Pro Plugin Exposes 18,000 WordPress Sites

A brand new safety vulnerability within the Chaty Professional plugin has been recognized, probably permitting attackers to take over WordPress websites by importing malicious recordsdata.

Chaty Professional is a well-liked WordPress plugin providing chat integration with social messaging providers and has roughly 18,000 installations.

In keeping with a brand new advisory by PatchStack, the difficulty stems from an arbitrary file add vulnerability (CVE-2025-26776) inside the plugin’s operate chaty_front_form_save_data.

Because of an absence of authorization and nonce checks within the code dealing with person enter, an attacker may exploit the file add performance to introduce dangerous recordsdata. This might result in full web site management if executed efficiently.

Though the operate included a whitelist of allowed file extensions, it was by no means applied. This left the system open to abuse.

“Uploaded file title comprises the add time and a random quantity between 100 and 1000, so it’s attainable to add a malicious PHP file and entry it by brute forcing attainable file names across the add time,” PatchStack defined.

To mitigate the danger, the plugin’s builders changed the insecure use of PHP’s move_uploaded_file() with wp_handle_upload(), guaranteeing correct validation of file extensions and content material. The patch additionally consists of stricter safety measures to forestall unauthorized entry.

Learn extra on WordPress plugin vulnerabilities: WordPress ASE Plugin Vulnerability Threatens Web site Safety

The vulnerability was found and reported on December 9 2024. After an preliminary patch proposal requiring additional safety hardening, a remaining repair was launched on February 11 2025, with model 3.3.4.

“Importing recordsdata instantly from customers to the server at all times carries safety dangers,” PatchStack warned.

To counter these dangers, builders ought to: