Skip to main content

WATI Chat and Notification CVE-2025-28925

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-03-11 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 00:36 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 12, 2026 - 19:52 vuln.today
CVE Published
Mar 11, 2025 - 21:15 nvd
HIGH 7.1

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in Hieu Nguyen WATI Chat and Notification allows Stored XSS. This issue affects WATI Chat and Notification: from n/a through 1.1.2.

AnalysisAI

Stored cross-site scripting (XSS) in WordPress plugin WATI Chat and Notification versions through 1.1.2 can be triggered via CSRF attack, enabling attackers to inject persistent malicious scripts into the WordPress site. The vulnerability requires user interaction from an authenticated administrator but no direct authentication by the attacker, allowing scope change (S:C) that affects resources beyond the vulnerable component. EPSS score of 0.05% (14th percentile) indicates low current exploitation probability. Reported by Patchstack security research team, no CISA KEV listing or public POC identified at time of analysis.

Technical ContextAI

This vulnerability chains two distinct CWE classes: CWE-352 (CSRF) as the delivery mechanism and CWE-79 (stored XSS) as the payload. WATI Chat and Notification is a WordPress plugin that integrates WhatsApp Business API functionality for chat widgets and notifications. The CSRF weakness allows attackers to forge requests that authenticated WordPress administrators unknowingly execute, bypassing normal anti-CSRF protections. When successfully exploited, the forged request stores malicious JavaScript in the WordPress database (likely plugin configuration or message templates), which then executes in victims' browsers when viewing affected pages. The Changed scope (S:C) in the CVSS vector indicates the XSS payload executes in a security context different from the vulnerable plugin itself, typically the WordPress admin dashboard or front-end with elevated privileges. WordPress plugins frequently store user-supplied content without proper sanitization and lack CSRF tokens on administrative forms, creating this attack pattern.

Affected ProductsAI

WordPress plugin WATI Chat and Notification versions from earliest release through 1.1.2 are confirmed vulnerable per Patchstack advisory. The plugin is available from the WordPress.org plugin repository and integrates with WATI's WhatsApp Business API platform. CPE data not provided in NVD entry, but vulnerability applies to all WordPress installations running affected plugin versions regardless of WordPress core version. Patchstack advisory available at https://patchstack.com/database/wordpress/plugin/wati-chat-and-notification/vulnerability/wordpress-wati-chat-and-notification-plugin-1-1-2-csrf-to-stored-cross-site-scripting-xss-vulnerability.

RemediationAI

Upgrade WATI Chat and Notification plugin to version 1.1.3 or later if available - verify current version in WordPress.org plugin repository as Patchstack advisory does not specify the patched release version. Until patching, implement compensating controls: restrict WordPress admin access to trusted IP ranges using .htaccess or firewall rules (note: breaks remote admin workflows); enforce Content Security Policy headers to mitigate XSS execution (may require theme/plugin compatibility testing); deploy Web Application Firewall rules detecting CSRF patterns in POST requests to /wp-admin/admin-ajax.php or plugin-specific endpoints (potential false positives on legitimate admin actions); mandate security awareness training for all administrator accounts on recognizing phishing and CSRF baiting (ongoing operational cost). If plugin functionality is non-critical, deactivate and remove WATI Chat and Notification entirely until vendor confirms patched version. Review WordPress audit logs and database tables used by the plugin for injected script tags or suspicious configuration changes since plugin installation. Advisory reference: https://patchstack.com/database/wordpress/plugin/wati-chat-and-notification/vulnerability/wordpress-wati-chat-and-notification-plugin-1-1-2-csrf-to-stored-cross-site-scripting-xss-vulnerability.

Share

CVE-2025-28925 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy