CVE-2021-25016

MEDIUM NUCLEI

Chaty and Chaty Pro < 2.8.3 and < 2.8.2 - Reflected Cross-Site Scripting via Search Parameter

Title source: llm

Exploitation Summary

CVE-2021-25016 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.

Description

The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting

Nuclei Templates (1)

Chaty < 2.8.2 - Cross-Site Scripting

MEDIUMVERIFIEDby luisfelipe146

Shodan: http.html:/wp-content/plugins/chaty/

FOFA: body=/wp-content/plugins/chaty/

References (1)

Core 1

Core References

Exploit, Third Party Advisory x_refsource_misc

https://wpscan.com/vulnerability/b5035987-6227-4fc6-bc45-1e8016e5c4c0

Scores

CVSS v3 6.1

EPSS 0.0181

EPSS Percentile 75.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (2)

premio/chaty < 2.8.3

premio/chaty_pro < 2.8.2

Published Jan 03, 2022

Tracked Since Feb 18, 2026