WATI Chat and Notification CVE-2025-28925
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in Hieu Nguyen WATI Chat and Notification allows Stored XSS. This issue affects WATI Chat and Notification: from n/a through 1.1.2.
AnalysisAI
Stored cross-site scripting (XSS) in WordPress plugin WATI Chat and Notification versions through 1.1.2 can be triggered via CSRF attack, enabling attackers to inject persistent malicious scripts into the WordPress site. The vulnerability requires user interaction from an authenticated administrator but no direct authentication by the attacker, allowing scope change (S:C) that affects resources beyond the vulnerable component. EPSS score of 0.05% (14th percentile) indicates low current exploitation probability. Reported by Patchstack security research team, no CISA KEV listing or public POC identified at time of analysis.
Technical ContextAI
This vulnerability chains two distinct CWE classes: CWE-352 (CSRF) as the delivery mechanism and CWE-79 (stored XSS) as the payload. WATI Chat and Notification is a WordPress plugin that integrates WhatsApp Business API functionality for chat widgets and notifications. The CSRF weakness allows attackers to forge requests that authenticated WordPress administrators unknowingly execute, bypassing normal anti-CSRF protections. When successfully exploited, the forged request stores malicious JavaScript in the WordPress database (likely plugin configuration or message templates), which then executes in victims' browsers when viewing affected pages. The Changed scope (S:C) in the CVSS vector indicates the XSS payload executes in a security context different from the vulnerable plugin itself, typically the WordPress admin dashboard or front-end with elevated privileges. WordPress plugins frequently store user-supplied content without proper sanitization and lack CSRF tokens on administrative forms, creating this attack pattern.
Affected ProductsAI
WordPress plugin WATI Chat and Notification versions from earliest release through 1.1.2 are confirmed vulnerable per Patchstack advisory. The plugin is available from the WordPress.org plugin repository and integrates with WATI's WhatsApp Business API platform. CPE data not provided in NVD entry, but vulnerability applies to all WordPress installations running affected plugin versions regardless of WordPress core version. Patchstack advisory available at https://patchstack.com/database/wordpress/plugin/wati-chat-and-notification/vulnerability/wordpress-wati-chat-and-notification-plugin-1-1-2-csrf-to-stored-cross-site-scripting-xss-vulnerability.
RemediationAI
Upgrade WATI Chat and Notification plugin to version 1.1.3 or later if available - verify current version in WordPress.org plugin repository as Patchstack advisory does not specify the patched release version. Until patching, implement compensating controls: restrict WordPress admin access to trusted IP ranges using .htaccess or firewall rules (note: breaks remote admin workflows); enforce Content Security Policy headers to mitigate XSS execution (may require theme/plugin compatibility testing); deploy Web Application Firewall rules detecting CSRF patterns in POST requests to /wp-admin/admin-ajax.php or plugin-specific endpoints (potential false positives on legitimate admin actions); mandate security awareness training for all administrator accounts on recognizing phishing and CSRF baiting (ongoing operational cost). If plugin functionality is non-critical, deactivate and remove WATI Chat and Notification entirely until vendor confirms patched version. Review WordPress audit logs and database tables used by the plugin for injected script tags or suspicious configuration changes since plugin installation. Advisory reference: https://patchstack.com/database/wordpress/plugin/wati-chat-and-notification/vulnerability/wordpress-wati-chat-and-notification-plugin-1-1-2-csrf-to-stored-cross-site-scripting-xss-vulnerability.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today