CVE-2026-12041 in Live Chat and ChatBot and Cart Saver Plugininfo

Summary

by MITRE • 07/08/2026

The Chatra Live Chat + ChatBot + Cart Saver plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/08/2026

The Chatra Live Chat plugin for WordPress represents a critical security vulnerability through its implementation of stored cross-site scripting flaws within the admin settings interface. This vulnerability exists in all versions up to and including 1.0.12, making it particularly concerning given the widespread adoption of WordPress plugins and the privileged access required for exploitation. The flaw stems from inadequate input sanitization mechanisms and insufficient output escaping practices that fail to properly validate or escape user-supplied data before storing and rendering it within administrative interfaces.

The technical nature of this vulnerability places it squarely within the CWE-79 category of cross-site scripting attacks, specifically manifesting as a stored XSS variant where malicious scripts are permanently injected into the plugin's settings and subsequently executed when legitimate users access affected pages. The vulnerability requires an authenticated attacker with administrator-level permissions or higher to exploit effectively, which aligns with the principle of least privilege that security frameworks emphasize. However, the impact remains severe because administrators typically have broad system access and can manipulate various aspects of website functionality through plugin interfaces.

Operational implications extend beyond simple script execution as this vulnerability affects multi-site WordPress installations where the attack surface expands significantly. The requirement for installations to have unfiltered_html disabled creates a specific exploitation window that security administrators must consider when assessing risk. Attackers could potentially inject malicious scripts that steal administrator session cookies, redirect users to phishing sites, or manipulate website content in ways that compromise both user experience and system integrity.

The vulnerability's impact is particularly concerning in enterprise environments where WordPress installations often serve as critical business platforms. The stored nature of the XSS attack means that once successfully exploited, malicious scripts persist indefinitely until manually removed from the plugin settings, creating a long-term security risk. This makes the vulnerability especially dangerous for websites managing sensitive customer data or serving as primary communication channels for businesses.

Mitigation strategies should focus on immediate patching to versions that address the input sanitization and output escaping deficiencies. Security administrators must ensure all WordPress installations are updated to versions containing proper validation mechanisms that comply with OWASP XSS prevention guidelines. Additionally, implementing additional security layers such as content security policies, regular security audits of plugin configurations, and monitoring for unauthorized administrative changes can help detect potential exploitation attempts.

The vulnerability also highlights the importance of input validation practices within WordPress plugin development, particularly concerning administrative interfaces where privileged users interact with system configuration settings. Organizations should conduct comprehensive security assessments of all installed plugins and maintain updated security baselines that include regular vulnerability scanning and patch management procedures. This case demonstrates how seemingly minor implementation flaws in plugin development can create significant security risks when exploited by authenticated attackers with elevated privileges.

Responsible

Wordfence

Reservation

06/11/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!