Introduction
The Chaty Pro plugin for WordPress [2], used by approximately 18,000 websites for chat functionality [2], has been found to contain a critical security vulnerability. This flaw, identified as CVE-2025-26776 [1] [2] [3] [4], could allow attackers to take control of WordPress sites by exploiting an arbitrary file upload issue.
Description
The vulnerability in the Chaty Pro plugin arises from the function chaty_front_form_save_data, which suffers from insufficient authorization and nonce checks when processing user input. Although a whitelist for allowed file extensions was intended [3], it was never implemented [3], leaving the system exposed. Attackers can exploit this flaw to upload malicious PHP files by brute-forcing file names based on the upload time [3], thereby gaining unauthorized access to these files.
To address this vulnerability [1] [3], the developers have replaced the insecure use of PHP’s move_uploaded_file() function with the secure wp_handle_upload() function in version 3.3.4 of the plugin, released on February 11, 2025 [1] [3]. This update ensures proper validation of file extensions and content [1], along with stricter security measures to prevent unauthorized access [1] [3].
The vulnerability was discovered and reported on December 9, 2024 [1] [3]. It is strongly advised that WordPress site owners using Chaty Pro update to version 3.3.4 immediately to safeguard against potential attacks [1]. Recommendations for developers include validating file extensions and content [1] [3], avoiding reliance on user-supplied file names [1] [3], using randomized file names stored securely [1], restricting executable file uploads [1] [3], and implementing proper access controls [1] [3].
Conclusion
The discovery of this vulnerability highlights the importance of robust security measures in plugin development. By updating to version 3.3.4 [3], WordPress site owners can protect their sites from potential exploitation. Developers are encouraged to adopt best practices in file handling and access control to prevent similar vulnerabilities in the future. This incident serves as a reminder of the ongoing need for vigilance and proactive security management in web development.
References
[1] https://www.infosecurity-magazine.com/news/flaw-chaty-pro-plugin-18k/
[2] https://www.cyware.com/resources/threat-briefings/daily-threat-briefing/cyware-daily-threat-intelligence-march-06-2025
[3] https://ciso2ciso.com/vulnerability-in-chaty-pro-plugin-exposes-18000-wordpress-sites-source-www-infosecurity-magazine-com/
[4] https://patchstack.com/articles/unauthenticated-arbitrary-file-upload-vulnerability-patched-in-chaty-pro-plugin/
