CVE-2025-26776
Published: 22 February 2025
Summary
CVE-2025-26776 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-26776 is an Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434) in the NotFound Chaty Pro WordPress plugin. It enables attackers to upload a web shell to the web server. The issue affects Chaty Pro versions from n/a through 3.3.3 and was published on 2025-02-22.
The vulnerability carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating it is exploitable over the network with low complexity by unauthenticated attackers requiring no user interaction. Exploitation allows remote attackers to upload arbitrary dangerous files, such as web shells, resulting in high impacts to confidentiality, integrity, and availability, with a changed scope that can lead to server compromise.
The Patchstack advisory provides further details on this arbitrary file upload vulnerability in Chaty Pro 3.3.3 and related mitigation guidance: https://patchstack.com/database/wordpress/plugin/chaty-pro/vulnerability/wordpress-chaty-pro-plugin-3-3-3-arbitrary-file-upload-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4423
Vulnerability details
Unrestricted Upload of File with Dangerous Type vulnerability in NotFound Chaty Pro allows Upload a Web Shell to a Web Server. This issue affects Chaty Pro: from n/a through 3.3.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The unrestricted file upload vulnerability in a public-facing WordPress plugin directly enables remote unauthenticated attackers to upload and execute web shells, mapping to T1190 (Exploit Public-Facing Application) for initial exploitation and T1505.003 (Web Shell) for the resulting server compromise.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the unrestricted file upload flaw in Chaty Pro by identifying, reporting, and applying patches to vulnerable plugin versions.
Validates file uploads to block dangerous types like web shells, preventing exploitation of the unrestricted upload vulnerability.
Scans uploaded files for malicious code such as web shells at entry points, blocking or alerting on dangerous uploads.