Chatra Live Chat Chatbot Cart Saver
Monthly
Stored cross-site scripting in the Chatra Live Chat + ChatBot + Cart Saver WordPress plugin (all versions ≤ 1.0.12) enables authenticated attackers holding administrator-level credentials to persist arbitrary JavaScript payloads through admin settings fields that lack input sanitization and output escaping. Injected scripts execute silently in the browsers of any user who visits an affected page, enabling session hijacking, credential harvesting, or malicious redirection. Exploitation is gated behind two environmental preconditions - WordPress multisite mode or explicitly disabled unfiltered_html - and no public exploit code or active exploitation has been identified at time of analysis.
Stored cross-site scripting in the Chatra Live Chat + ChatBot + Cart Saver WordPress plugin (all versions ≤ 1.0.12) enables authenticated attackers holding administrator-level credentials to persist arbitrary JavaScript payloads through admin settings fields that lack input sanitization and output escaping. Injected scripts execute silently in the browsers of any user who visits an affected page, enabling session hijacking, credential harvesting, or malicious redirection. Exploitation is gated behind two environmental preconditions - WordPress multisite mode or explicitly disabled unfiltered_html - and no public exploit code or active exploitation has been identified at time of analysis.