PatchSiren cyber security CVE debrief
CVE-2026-12041 chatra CVE debrief
The Chatra Live Chat + ChatBot + Cart Saver plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
- Vendor
- chatra
- Product
- Chatra Live Chat + ChatBot + Cart Saver
- CVSS
- MEDIUM 4.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-08
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-08
Who should care
Administrators of WordPress multi-site installations or installations with unfiltered_html disabled, using Chatra Live Chat + ChatBot + Cart Saver plugin versions up to 1.0.12, should assess and mitigate this vulnerability to prevent potential XSS attacks.
Technical summary
The vulnerability exists in the Chatra Live Chat + ChatBot + Cart Saver plugin for WordPress, specifically in versions up to and including 1.0.12. It allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts due to insufficient input sanitization and output escaping. The vulnerability is exploitable in multi-site installations and those with unfiltered_html disabled.
Defensive priority
Medium priority due to the requirement for administrator-level permissions and specific configuration (multi-site or unfiltered_html disabled).
Recommended defensive actions
- Update the Chatra Live Chat + ChatBot + Cart Saver plugin to a version beyond 1.0.12.
- Restrict administrator-level permissions to trusted users.
- Monitor for suspicious activity in multi-site installations or where unfiltered_html is disabled.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
Evidence notes
Evidence from the CVE record and NVD detail indicate a Stored Cross-Site Scripting vulnerability exists in the Chatra Live Chat + ChatBot + Cart Saver plugin. The CVE was published and last modified on 2026-07-08T06:16:21.853Z. Limited details are available on exploitability and affected scope beyond multi-site and unfiltered_html configurations.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T06:16:21.853Z and has not been modified since then.