A recent security flaw has been discovered in the Chaty Pro plugin for WordPress, which could potentially allow hackers to gain control of websites by uploading malicious files. The popular plugin, known for integrating chat functionality with social messaging services, boasts around 18,000 installations.
The vulnerability, identified in a recent advisory by PatchStack, originates from an arbitrary file upload flaw (CVE-2025-26776) within the plugin’s function chaty_front_form_save_data. This flaw exposes the system to unauthorized manipulation due to a lack of proper authorization and nonce checks in the code handling user input.
Despite the inclusion of a whitelist for allowed file extensions within the function, the feature was never fully implemented, leaving the door wide open for exploitation. Attackers could potentially leverage the file upload functionality to introduce harmful files, thereby gaining complete control over the affected website if successful.
Explaining the potential risk posed by this vulnerability, PatchStack noted, “Uploaded file name contains the upload time and a random number between 100 and 1000, so it is possible to upload a malicious PHP file and access it by brute forcing possible file names around the upload time.”
In response to the security concerns raised, the developers of the plugin swiftly addressed the issue by replacing the insecure usage of PHP’s move_uploaded_file() with wp_handle_upload(). This update ensures thorough validation of file extensions and content and introduces more stringent security measures to prevent unauthorized access to the system.
The vulnerability was first discovered and reported on December 9, 2024. Following an initial patch proposal that highlighted the need for additional security hardening, a final fix was ultimately released on February 11, 2025, in the form of version 3.3.4 of the plugin.
Emphasizing the inherent risks associated with direct file uploads from users to the server, PatchStack cautioned, “Uploading files directly from users to the server always carries security risks.”
To minimize these risks, developers are advised to validate both file extensions and content, avoid relying on user-supplied file names, use randomized file names stored securely, restrict executable file uploads, and implement proper access controls within their systems.
For site owners using the Chaty Pro plugin on their WordPress sites, it is crucial to update to the latest version (3.3.4) immediately to safeguard against potential security breaches and malicious attacks. Taking proactive measures to address these vulnerabilities is essential in maintaining the integrity and security of websites and protecting sensitive user data.