A newly discovered vulnerability in the Chaty Pro plugin is putting WordPress site owners on alert. Researchers found a flaw that could let attackers upload malicious files and potentially take control of affected sites. Tracked as CVE-2025-26776, the issue is another reminder that one vulnerable plugin can expose thousands of websites if it is not patched quickly.
Chaty Pro is a WordPress plugin that adds chat and social messaging options to a site, helping businesses connect with visitors through popular messaging platforms. With roughly 18,000 active installations, the plugin is widely used across many industries and site types.
Patchstack reports the vulnerability stems from a function called chaty_front_form_save_data. The flaw is classified as an arbitrary file upload issue, which is especially dangerous because it can allow attackers to place files on a server that may later be executed as code.
The core problem is missing security checks. The affected function does not properly confirm that a user is allowed to perform the action, and it does not verify that the request is legitimate. In WordPress terms, it lacks authorization checks and nonce validation, two safeguards that help prevent unauthorized requests and forged submissions.
Without those protections, an attacker can abuse the upload mechanism to submit malicious files, such as web shells, backdoors, or scripts designed to alter site behavior. If the uploaded file can be executed, the attacker may be able to run code on the server and escalate to full site control.
The impact can be serious. A compromised site may be defaced, used to steal sensitive data, loaded with spam pages, or altered to redirect visitors to malicious destinations. In many cases, attackers also use hacked sites as part of broader campaigns, including malware distribution and infrastructure for additional attacks.
Around the same time, researchers also reported a large-scale compromise affecting roughly 150,000 websites, where attackers injected malicious JavaScript to promote Chinese gambling platforms.
This activity is not necessarily tied directly to the Chaty Pro vulnerability, but it shows what often happens once a plugin flaw becomes public. Automated scanners and bots quickly begin searching for unpatched sites, and exploitation can scale fast.
Injected JavaScript can trigger redirects, display unwanted ads, or load additional scripts from external sources. Beyond the security risk, that kind of compromise can harm user trust and lead to search engine warnings or blacklisting.
Site owners using Chaty Pro should act quickly. Update the plugin to the latest patched version if one is available. It’s also smart to review the site for unfamiliar files, suspicious administrator accounts, and unexpected changes to themes, plugins, or database content.
To reduce the odds of a repeat incident, keep plugins updated, run regular security scans, and consider a web application firewall. This case is a practical reminder that even well-known plugins can become an entry point, so proactive maintenance matters for every WordPress site.
If you want, I can also rewrite this into a shorter “news brief” version (200 to 300 words) and a longer deep-dive version with a clearer attack chain and remediation checklist.
