WordPress Chaty Pro plugin vulnerable to critical Arbitrary File Upload
Take action: If you are using WordPress Chaty Pro plugin, patch IMMEDIATELY. This is an obviously exploitable flaw, publicly accessible and easily automated. Don't postpone, update the plugin today.
Learn More
A critical security vulnerability has been discovered in the WordPress Chaty Pro plugin versions 3.3.3 and earlier,
The flaw is tracked as CVE-2025-26776 (CVSS score 10.0) and allows unauthenticated attackers to upload arbitrary files to affected WordPress websites, leading to complete site compromise. The vulnerability exists in the chaty_front_form_save_data function of the Chaty Pro plugin, which provides chat integration with social messaging services.
While the plugin code included a whitelist of allowed file extensions, this list is not properly implemented. As a result, malicious actors could exploit the file upload functionality to introduce backdoors or other malicious code.
According to Patchstack's advisory, "Uploaded file name contains the upload time and a random number between 100 and 1000, so it is possible to upload a malicious PHP file and access it by brute forcing possible file names around the upload time."
This vulnerability could allow attackers to upload malicious PHP files, execute arbitrary code on the server, gain unauthorized access to the WordPress site and take complete control of the affected website
Affected Versions are Chaty Pro plugin versions 3.3.3 and earlier
The developers have addressed this vulnerability in version 3.3.4 by:
- Replacing the insecure use of PHP's move_uploaded_file() with WordPress's wp_handle_upload() function
- Implementing proper validation of file extensions and content
- Adding stricter security measures to prevent unauthorized access
Website administrators using the Chaty Pro plugin should update to version 3.3.4 or later immediately
