CVE-2025-26776: 
WordPress vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-26776) has been discovered in the Chaty Pro WordPress plugin, affecting versions up to 3.3.3. The vulnerability is classified as an Unrestricted Upload of File with Dangerous Type, which allows attackers to upload a web shell to a web server. With approximately 18,000 active installations, this plugin, which provides chat button functionality for website visitors to connect via various platforms like WhatsApp and Facebook Messenger, has been assigned a critical CVSS score of 10.0 (NVD, Security Online).

The vulnerability stems from a lack of proper authorization and security checks in the code responsible for handling user input. While there is a variable called $fileallowed with a whitelist of extensions that should be allowed, it is never implemented in any part of the code. This oversight enables attackers to bypass intended restrictions and upload malicious files. The vulnerability has been assigned a CVSS v3.1 base score of 10.0 CRITICAL with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H ([Patchstack](https://patchstack.com/database/wordpress/plugin/chaty-pro/vulnerability/wordpress-chaty-pro-plugin-3-3-3-arbitrary-file-upload-vulnerability?s_id=cve)).

The vulnerability allows attackers to completely take over WordPress websites by performing a series of HTTP requests. Through the exploitation of the arbitrary file upload vulnerability, attackers can upload malicious files, such as PHP scripts, which can then be executed to gain control of the website (Security Online).

The vulnerability has been patched in Chaty Pro version 3.3.4. The fix implements the more secure wphandleupload() function and proper checks on uploaded files, replacing the previous insecure call to PHP's moveuploadedfile() with unsanitized user data. Website owners using the Chaty Pro plugin are strongly urged to update to version 3.3.4 or later immediately to protect their sites from potential attacks (Security Online).