Description

WordPress Plugin Floating Chat Widget:Contact Chat Icons, Telegram Chat, Line, WeChat, Email, SMS, Call Button-Chaty is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. WordPress Plugin Floating Chat Widget:Contact Chat Icons, Telegram Chat, Line, WeChat, Email, SMS, Call Button-Chaty version 3.0.2 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 3.0.3 or latest

References

https://wpscan.com/vulnerability/d251b6c1-602b-4d72-9d6a-bf5d5ec541ec

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2814119%40chaty&old=2813487%40chaty&sfp_email=&sfph_mail=

Related Vulnerabilities

WordPress Plugin JoomSport-for Sports: Team & League, Football, Hockey & more SQL Injection (3.3)

WordPress Plugin PPOM for WooCommerce Arbitrary File Upload (1.1)

WordPress Plugin SB Uploader Arbitrary File Upload (4.1)

WordPress Plugin TR Easy Google Analytics Cross-Site Scripting (1.0.0)

WordPress Plugin WP Reset-Most Advanced WordPress Reset Tool Cross-Site Scripting (1.86)

Severity

High

Classification

CVE-2022-3858 CWE-89 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update SQL Injection