VYPR
Unrated severityNVD Advisory· Published Feb 27, 2025· Updated Apr 8, 2026

Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty <= 3.3.5 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

CVE-2025-1450

Description

The Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-hover’ parameter in all versions up to, and including, 3.3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3
  • Chatty/Chattyllm-fuzzy
    Range: <=3.3.5
  • premio/Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chatyv5
    Range: 0
  • WordPress/Chattywp-canonicalize

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.