A critical vulnerability has been discovered in the Chaty Pro plugin for WordPress, potentially allowing attackers to completely take over websites. With an estimated 18,000 active installations, this plugin, which provides a chat button for website visitors to connect via various platforms like WhatsApp and Facebook Messenger, is now confirmed to have a serious security flaw.
Patchstack, a WordPress security company, has identified an arbitrary file upload vulnerability in the plugin and assigned it CVE-2025-26776 with a CVSS score of 10, indicating its critical severity. “The plugin suffers from an arbitrary file upload vulnerability. As a result, an attacker can upload a malicious file to the system and take over the WordPress site by performing a series of HTTP requests,” Patchstack explains in their security advisory.
The vulnerability stems from a lack of proper authorization and security checks in the code responsible for handling user input. “This vulnerability occurred because the code that handles user input didn’t have any authorization or nonce check,” the advisory states. This essentially means that attackers can exploit the plugin’s file upload functionality to upload malicious files, such as PHP scripts, which can then be executed to gain control of the website.
“Although there is a variable called $file_allowed with a whitelist of extensions that should be allowed, it is never implemented in any part of the code,” Patchstack further explains. This oversight makes it possible for attackers to bypass any intended restrictions and upload files with malicious intent.
Fortunately, the developers of Chaty Pro have addressed CVE-2025-26776 in version 3.3.4. The patch utilizes the more secure wp_handle_upload() function and implements proper checks on uploaded files. “Instead of utilizing an insecure call to PHP’s move_uploaded_file() with unsanitized user data, the functionality that handles file uploads now utilizes wp_handle_upload() and properly checks the uploaded files extension and content,” the advisory confirms.
Website owners using the Chaty Pro plugin are strongly urged to update to version 3.3.4 or later immediately to protect their sites from potential attacks.
