The discovery of CVE-2024-2837 has unveiled a chilling reality within WP Chat App, where a Stored XSS vulnerability lurks. This flaw permits the injection of malicious scripts, opening the floodgates to potential backdoors. Let’s delve into the depths of this digital menace. (if an attacker has previously hijacked an administrator or editor account, he can plant a backdoor to regain access back).

Main info:

PluginWP Chat App < 3.6.4
All Time979 590
Active installations100 000+
Publicly PublishedApril 10, 2023
Last UpdatedApril 10, 2023
ResearcherDmtirii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
Plugin Security Certification by CleanTalk


March 1, 2024Plugin testing and vulnerability detection in the WP Chat App plugin have been completed
March 1, 2024I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
April 10, 2024Registered CVE-2024-2837

Discovery of the Vulnerability

During meticulous plugin testing, CVE-2024-2837 emerged as a sinister threat. It enables adversaries to execute Stored XSS attacks under the guise of admin privileges, paving the way for nefarious account hijacking endeavors.

Understanding of Stored XSS attack’s

Stored XSS, a notorious adversary in the cybersecurity realm, finds a fertile ground in WordPress ecosystems. By infiltrating user-generated content, it can stealthily embed malicious scripts, leading to devastating consequences.

Exploiting the Stored XSS Vulnerability

Exploiting CVE-2024-2837 is alarmingly straightforward. Simply navigating to WP Chat App’s “Floating Widget” settings and tampering with the “titleSize” parameter can trigger a cascade of malicious actions, including unauthorized script execution.


Go to “Floating Widget” settings and try to change filed “titleSize” to this – titleSize=18″onmouseover=alert(1)//’+onmouseover=alert(1)//


The ramifications of this vulnerability extend far beyond theoretical constructs. With the ability to create JavaScript backdoors, threat actors could orchestrate full-scale website compromises, jeopardizing user data, trust, and organizational integrity.

Recommendations for Improved Security

To mitigate the looming threat posed by CVE-2024-2837, immediate action is imperative. Website administrators should promptly update WP Chat App to the latest patched version and enforce stringent security measures to fortify their digital fortresses against potential breaches. Vigilance, proactive monitoring, and robust security protocols are indispensable in the ongoing battle against cyber threats.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-2837, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability

Use CleanTalk solutions to improve the security of your website


Create your CleanTalk account

By signing up, you agree with license. Have an account? Log in.
CVE-2024-2837 – WP Chat App – Stored XSS to JS backdoor creation – POC

Leave a Reply

Your email address will not be published. Required fields are marked *