PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12041 chatra CVE debrief

The Chatra Live Chat + ChatBot + Cart Saver plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Vendor
chatra
Product
Chatra Live Chat + ChatBot + Cart Saver
CVSS
MEDIUM 4.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-08
Advisory published
2026-07-08
Advisory updated
2026-07-08

Who should care

Administrators of WordPress multi-site installations or installations with unfiltered_html disabled, using Chatra Live Chat + ChatBot + Cart Saver plugin versions up to 1.0.12, should assess and mitigate this vulnerability to prevent potential XSS attacks.

Technical summary

The vulnerability exists in the Chatra Live Chat + ChatBot + Cart Saver plugin for WordPress, specifically in versions up to and including 1.0.12. It allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts due to insufficient input sanitization and output escaping. The vulnerability is exploitable in multi-site installations and those with unfiltered_html disabled.

Defensive priority

Medium priority due to the requirement for administrator-level permissions and specific configuration (multi-site or unfiltered_html disabled).

Recommended defensive actions

  • Update the Chatra Live Chat + ChatBot + Cart Saver plugin to a version beyond 1.0.12.
  • Restrict administrator-level permissions to trusted users.
  • Monitor for suspicious activity in multi-site installations or where unfiltered_html is disabled.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.

Evidence notes

Evidence from the CVE record and NVD detail indicate a Stored Cross-Site Scripting vulnerability exists in the Chatra Live Chat + ChatBot + Cart Saver plugin. The CVE was published and last modified on 2026-07-08T06:16:21.853Z. Limited details are available on exploitability and affected scope beyond multi-site and unfiltered_html configurations.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T06:16:21.853Z and has not been modified since then.