WP Chat App for WordPress offer a streamlined way to integrate WhatsApp communication directly into websites. This enhances customer support and engagement. However, with great functionality comes the need for robust security measures. Recently, a critical vulnerability, CVE-2024-4664, was discovered in the WP Chat App plugin, highlighting the importance of safeguarding such tools against potential exploits.

PluginWP Chat App < 3.6.5
All Time1 074 085
Active installations100 000+
Publicly PublishedJune 10, 2024
Last UpdatedJune 10, 2024
ResearcherArtyom Krugov
OWASP TOP-10A7: Cross-Site Scripting (XSS)
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4664/
Plugin Security Certification by CleanTalk
Logo of the plugin


May 4, 2024Plugin testing and vulnerability detection in the WP Chat App have been completed
May 4, 2024I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
June 10, 2024Registered CVE-2024-4664

Discovery of the Vulnerability

CVE-2024-4664, a Stored XSS (Cross-Site Scripting) vulnerability, was identified during security testing of the WP Chat App plugin. This plugin facilitates the addition of WhatsApp chat functionalities, including floating buttons, stationary buttons, widgets, and web beacons, to WordPress websites. The vulnerability resides in the Widget text and Widget Label text fields, which do not properly sanitize user input. This flaw allows malicious scripts to be injected and stored within the application, posing significant security risks.

Understanding of Stored XSS attack’s

Stored XSS is a severe form of Cross-Site Scripting where malicious scripts are injected into a web application and stored on the server. Unlike Reflected XSS, which is executed immediately and often on the client-side, Stored XSS persists in the application, triggering whenever the infected data is accessed. In the context of WordPress, Stored XSS can compromise user sessions, steal sensitive information, and facilitate the spread of malware.

Exploiting the Stored XSS Vulnerability

Exploiting the CVE-2024-4664 vulnerability involves inserting a crafted payload into the vulnerable fields of the plugin. The following steps outline the exploitation process:


1.Access the WhatsApp control panel in the WordPress admin interface and configure the Floating Widget.
2.Navigate to the design panel.
3.Insert the payload into the Widget text and Widget Label text fields using HTML encoding, and save the changes.
4.Navigate away from the design page and then return to it.
5.Upon re-entering, the payload will be decoded and, after interacting with the panel and typing any character, the malicious script will execute.

PoC Payload: <script>alert(1)</script>


The primary risk associated with this vulnerability is the potential for privilege escalation. An attacker with contributor-level access could exploit the XSS flaw to create an admin account, gaining full control over the WordPress site. This could lead to various malicious activities, including data theft, defacement, or further exploitation of the site’s resources.

In real-world scenarios, such a vulnerability could be used to compromise high-profile websites, leading to significant reputational damage and financial loss. Attackers could also use the compromised sites as a launchpad for broader campaigns, affecting even more users.

Recommendations for Improved Security

To mitigate the risks associated with CVE-2024-4664, several steps can be taken:

  1. Update the Plugin: Ensure the WP Chat App plugin is updated to the latest version that addresses the vulnerability.
  2. Input Validation and Sanitization: Implement robust input validation and output sanitization to prevent the injection of malicious scripts. All user input should be properly escaped before being rendered.
  3. Use Security Plugins: Employ security plugins and web application firewalls (WAF) to detect and block malicious activities in real-time.
  4. Regular Audits: Conduct regular security audits and code reviews to identify and address potential vulnerabilities.

In conclusion, CVE-2024-4664 serves as a stark reminder of the importance of security in web development. By understanding and addressing such vulnerabilities, we can protect our sites and users from malicious attacks.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-4305, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability

Use CleanTalk solutions to improve the security of your website


Create your CleanTalk account

By signing up, you agree with license. Have an account? Log in.
CVE-2024-4664 – WP Chat App – Stored XSS (Administrator+) – POC

Leave a Reply

Your email address will not be published. Required fields are marked *