CVE-2025-1450: 
WordPress vulnerability analysis and mitigation

The Floating Chat Widget (Chaty) WordPress plugin contains a Stored Cross-Site Scripting vulnerability (CVE-2025-1450) discovered in February 2025. The vulnerability affects all versions up to and including 3.3.5 of the plugin, which provides functionality for contact chat icons including WhatsApp, Telegram, WeChat, and other messaging platforms (NVD).

The vulnerability exists due to insufficient input sanitization and output escaping of the 'data-hover' parameter. The issue has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NIST and 6.4 (Medium) by Wordfence. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page (NVD).

Users should update to a version newer than 3.3.5 of the Chaty plugin. A patch has been released to address the vulnerability as evidenced by the changelog (WordPress Changeset).