CVE-2019-6780 in Wise Chat Plugin
Summary
by MITRE
The Wise Chat plugin before 2.7 for WordPress mishandles external links because rendering/filters/post/WiseChatLinksPostFilter.php omits noopener and noreferrer.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 09/25/2025
The Wise Chat plugin vulnerability CVE-2019-6780 represents a critical security flaw in WordPress plugin ecosystems that demonstrates poor implementation of hyperlink security measures. This vulnerability affects versions prior to 2.7 of the Wise Chat plugin, which is widely used for chat functionality on WordPress websites. The issue stems from the plugin's failure to properly handle external links within its post filtering mechanism, specifically in the rendering/filters/post/WiseChatLinksPostFilter.php file. The absence of proper link attributes creates a significant attack surface that can be exploited by malicious actors to compromise user sessions and execute unauthorized actions.
The technical flaw manifests in the omission of essential security attributes when processing external hyperlinks. The missing noopener and noreferrer attributes create a vector for malicious exploitation through a technique known as tabnabbing or reverse tabnabbing. When a user clicks on an external link from a WordPress site, the target page can gain access to the original page's window object through the window.opener property, potentially enabling malicious websites to redirect users to phishing sites or inject harmful content. The lack of noreferrer attribute prevents the target page from knowing the originating page's referrer information, which can be exploited for tracking and fingerprinting user behavior. This vulnerability directly maps to CWE-1021, which addresses improper restriction of excessive atomic operations, and specifically relates to CWE-937, which covers the weakness of using weak or predictable random numbers in security contexts.
The operational impact of this vulnerability extends beyond simple cross-site scripting concerns, as it can enable sophisticated attacks against WordPress users and administrators. Attackers can craft malicious external links that, when clicked, exploit the missing security attributes to perform session hijacking, redirect users to malicious domains, or inject harmful JavaScript code into the browsing context. The vulnerability affects all users who interact with chat functionality on affected WordPress sites, making it particularly dangerous in environments where administrators and users frequently click external links. This creates a persistent risk for organizations relying on WordPress for content management, as the vulnerability remains active until the plugin is updated to version 2.7 or later.
Mitigation strategies for CVE-2019-6780 involve immediate plugin updates to version 2.7 or later, which properly implements the required noopener and noreferrer attributes for external links. System administrators should conduct thorough vulnerability assessments to identify all instances of the vulnerable plugin across their WordPress installations and ensure proper patch management protocols are in place. Additional defensive measures include implementing content security policies that restrict external link behavior and monitoring for suspicious link patterns in chat functionality. Organizations should also consider using web application firewalls to detect and block attempts to exploit this vulnerability, while maintaining regular security audits of third-party plugins to identify similar security gaps. The vulnerability demonstrates the critical importance of proper hyperlink handling in web applications and aligns with ATT&CK technique T1189, which covers exploitation of web application vulnerabilities through improper link handling and session management.