CVE-2025-26776
Published: 22 February 2025
Description
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Security Summary
CVE-2025-26776 is an Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434) in the NotFound Chaty Pro WordPress plugin. It enables attackers to upload a web shell to the web server. The issue affects Chaty Pro versions from n/a through 3.3.3 and was published on 2025-02-22.
The vulnerability carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating it is exploitable over the network with low complexity by unauthenticated attackers requiring no user interaction. Exploitation allows remote attackers to upload arbitrary dangerous files, such as web shells, resulting in high impacts to confidentiality, integrity, and availability, with a changed scope that can lead to server compromise.
The Patchstack advisory provides further details on this arbitrary file upload vulnerability in Chaty Pro 3.3.3 and related mitigation guidance: https://patchstack.com/database/wordpress/plugin/chaty-pro/vulnerability/wordpress-chaty-pro-plugin-3-3-3-arbitrary-file-upload-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The unrestricted file upload vulnerability in a public-facing WordPress plugin directly enables remote unauthenticated attackers to upload and execute web shells, mapping to T1190 (Exploit Public-Facing Application) for initial exploitation and T1505.003 (Web Shell) for the resulting server compromise.