- The free iPhone 16e deal at Visible is still available. Here's how to claim yours
- I compared the two best Android phones right now - and it was pretty dang close
- Forget Chrome: Why Firefox's new vertical tabs are such a productivity game-changer
- There's one new Pixel 'upgrade' you might not love - here's how to fix it
- Android's AI is scanning your phone for scam activity now in two ways
Vulnerability in Chaty Pro Plugin Exposes 18,000 WordPress Sites
A new security vulnerability in the Chaty Pro plugin has been identified, potentially allowing attackers to take over WordPress sites by uploading malicious files.
Chaty Pro is a popular WordPress plugin offering chat integration with social messaging services and has approximately 18,000 installations.
According to a new advisory by PatchStack, the issue stems from an arbitrary file upload vulnerability (CVE-2025-26776) within the plugin’s function chaty_front_form_save_data.
Due to a lack of authorization and nonce checks in the code handling user input, an attacker could exploit the file upload functionality to introduce harmful files. This could lead to full site control if executed successfully.
Although the function included a whitelist of allowed file extensions, it was never implemented. This left the system open to abuse.
“Uploaded file name contains the upload time and a random number between 100 and 1000, so it is possible to upload a malicious PHP file and access it by brute forcing possible file names around the upload time,” PatchStack explained.
To mitigate the risk, the plugin’s developers replaced the insecure use of PHP’s move_uploaded_file() with wp_handle_upload(), ensuring proper validation of file extensions and content. The patch also includes stricter security measures to prevent unauthorized access.
The vulnerability was discovered and reported on December 9 2024. After an initial patch proposal requiring further security hardening, a final fix was released on February 11 2025, with version 3.3.4.
“Uploading files directly from users to the server always carries security risks,” PatchStack warned.
To counter these risks, developers should:
- Validate both file extensions and content
- Avoid relying on user-supplied file names
- Use randomized file names stored securely
- Restrict executable file uploads
- Implement proper access controls
WordPress site owners using Chaty Pro should update to version 3.3.4 immediately to protect against potential attacks.
