WP-Safety

Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty Security & Risk Analysis

wordpress.org/plugins/chaty

WhatsApp chat, Facebook Messenger, Telegram, TikTok, Instagram, Email, Line, WeChat Phone call, SMS, 20+ live chat icons & WhatsApp chat pop up 💬

400K active installs v3.5.2 PHP + WP 3.1+ Updated Mar 11, 2026
chatchat-buttonfacebook-messengerwhatsappwhatsapp-chat
92
A · Safe
CVEs total11
Unpatched0
Last CVEFeb 24, 2026
Download
Safety Verdict

Is Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty Safe to Use in 2026?

Generally Safe

Score 92/100

Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty has a strong security track record. Known vulnerabilities have been patched promptly.

11 known CVEsLast CVE: Feb 24, 2026Updated 23d ago
Risk Assessment

The Chaty plugin v3.5.2 presents a mixed security posture. On the positive side, the plugin demonstrates good practices in several areas, including a high percentage of prepared statements for SQL queries (79%) and proper output escaping (97%). The presence of numerous nonce checks (19) and capability checks (31) also indicates an effort to secure its functionalities. Furthermore, the static analysis found no critical or high severity taint flows, and there are no currently unpatched CVEs, which is a significant strength.

However, concerns arise from the significant attack surface, particularly the presence of 16 AJAX handlers, with 2 of them lacking authentication checks. This directly exposes functionalities to unauthorized access and potential exploitation. The vulnerability history, while having no currently unpatched vulnerabilities, is concerning due to the sheer number of past CVEs (11) and their types. The prevalence of 'Exposure of Sensitive Information,' 'SQL Injection,' and 'Cross-site Scripting' in its history suggests recurring fundamental security weaknesses that, even if patched, indicate potential for future issues if not addressed comprehensively.

In conclusion, while Chaty v3.5.2 has made strides in secure coding practices like output escaping and prepared statements, and currently has no unpatched critical vulnerabilities, the lack of authentication on critical AJAX endpoints and the extensive history of severe vulnerabilities point to an ongoing need for vigilance. The plugin's strengths lie in its current patching status and good output handling, but its weaknesses are the direct exploitable entry points and a pattern of historical security flaws that warrant careful consideration.

Key Concerns

  • AJAX handlers without auth checks
  • 11 total known CVEs
  • 1 high severity CVE in history
  • 10 medium severity CVEs in history
  • Bundled library Select2
Vulnerabilities
11

Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
2 CVEs in 2022
2022
4 CVEs in 2023
2023
2 CVEs in 2024
2024
1 CVE in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
1
Medium
10

11 total CVEs

CVE-2026-27370medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty <= 3.5.1 - Unauthenticated Information Exposure

Feb 24, 2026 Patched in 3.5.2 (10d)
CVE-2025-1450medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty <= 3.3.5 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

Feb 26, 2025 Patched in 3.3.6 (1d)
CVE-2024-4149medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Floating Chat Widget: Contact Chat Icons, WhatsApp, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty <= 3.2.2 - Authenticated (Admin+) Stored Cross-Site Scripting

May 23, 2024 Patched in 3.2.3 (27d)
CVE-2024-2972medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Floating Chat Widget <= 3.1.8 - Authenticated (Editor+) Stored Cross-Site Scripting

Apr 3, 2024 Patched in 3.1.9 (15d)
CVE-2023-47759medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Chaty <= 3.1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Nov 13, 2023 Patched in 3.1.3 (71d)
CVE-2023-3245medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Floating Chat Widget - Chaty <= 3.1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Jun 26, 2023 Patched in 3.1.2 (211d)
CVE-2023-25019medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Chaty <= 3.0.9 - Reflected Cross-Site Scripting

May 16, 2023 Patched in 3.1 (252d)
WF-3baa0543-cdfb-4699-97ca-eaa83c2494a1-chatymedium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Chaty <= 3.0.9 - Authenticated (Admin+) Stored Cross-Site Scripting

May 16, 2023 Patched in 3.1 (252d)
CVE-2022-3858high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Floating Chat Widget - Chaty <= 3.0.2 - Authenticated (Administrator+) SQL Injection

Nov 14, 2022 Patched in 3.0.3 (435d)
CVE-2021-36846medium · 4.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Floating Chat Widget: Contact Icons, Messages, Telegram, Email, SMS, Call Button – Chaty <= 2.8.3 - Admin+ Stored Cross-Site Scripting

Apr 7, 2022 Patched in 2.8.5 (655d)
CVE-2021-25016medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Floating Chat Widget: Contact Icons, Messages, Telegram, Email, SMS, Call Button - Chaty <= 2.8.2 Reflected Cross-Site Scripting

Dec 6, 2021 Patched in 2.8.3 (778d)
Code Analysis
Analyzed Mar 16, 2026

Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty Code Analysis

Dangerous Functions
0
Raw SQL Queries
3
11 prepared
Unescaped Output
55
1615 escaped
Nonce Checks
19
Capability Checks
31
File Operations
3
External Requests
11
Bundled Libraries
1

Bundled Libraries

Select2

SQL Query Safety

79% prepared14 total queries

Output Escaping

97% escaped1670 total outputs
Data Flows
All sanitized

Data Flow Analysis

3 flows
rename_chaty_widget (includes\class-frontend.php:131)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty Attack Surface

Entry Points16
Unprotected2

AJAX Handlers 16

authwp_ajax_wcp_admin_send_message_to_owneradmin\class-admin-base.php:77
authwp_ajax_chaty_plugin_deactivateadmin\class-admin-base.php:83
authwp_ajax_chaty_update_popup_statusadmin\class-admin-base.php:89
authwp_ajax_update_channel_settingadmin\class-admin-base.php:90
authwp_ajax_hide_chaty_ctaadmin\class-admin-base.php:95
authwp_ajax_get_chatway_statusadmin\class-admin-base.php:101
authwp_ajax_chaty_update_statusincludes\class-email-signup.php:47
authwp_ajax_choose_socialincludes\class-frontend.php:76
authwp_ajax_get_chaty_settingsincludes\class-frontend.php:77
authwp_ajax_chaty_front_form_save_dataincludes\class-frontend.php:80
noprivwp_ajax_chaty_front_form_save_dataincludes\class-frontend.php:81
authwp_ajax_remove_chaty_widgetincludes\class-frontend.php:83
authwp_ajax_rename_chaty_widgetincludes\class-frontend.php:84
authwp_ajax_change_chaty_widget_statusincludes\class-frontend.php:87
authwp_ajax_update_chaty_viewincludes\class-frontend.php:90
noprivwp_ajax_update_chaty_viewincludes\class-frontend.php:91
WordPress Hooks 23
actionadmin_menuadmin\class-admin-base.php:65
actionadmin_initadmin\class-admin-base.php:67
actionadmin_initadmin\class-admin-base.php:68
actionadmin_headadmin\class-admin-base.php:69
actioninitadmin\class-admin-base.php:73
actionadmin_footeradmin\class-admin-base.php:82
actionadmin_enqueue_scriptsadmin\class-admin-base.php:85
actionadmin_enqueue_scriptsadmin\class-admin-base.php:87
actionadmin_headadmin\class-admin-base.php:97
actionadmin_initadmin\class-admin-base.php:99
filtercheck_for_chatwayadmin\class-admin-base.php:102
filtercheck_for_chatway_statusadmin\class-admin-base.php:103
actionadmin_footeradmin\class-admin-base.php:106
actionupdate_option_chaty_updated_onadmin\class-admin-base.php:2762
actioninitcht-icons.php:150
actionactivated_plugincht-icons.php:154
actionadmin_initcht-icons.php:236
actionwp_enqueue_scriptsincludes\class-frontend.php:97
filterscript_loader_tagincludes\class-frontend.php:747
actionadmin_enqueue_scriptsincludes\class-review-box.php:96
actionadmin_noticesincludes\class-review-box.php:97
actionadmin_enqueue_scriptsincludes\class-review-box.php:100
actionadmin_noticesincludes\class-upgrade-box.php:29
Maintenance & Trust

Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 11, 2026
PHP min version
Downloads6.7M

Community Trust

Rating100/100
Number of ratings1,223
Active installs400K
Alternatives

Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty Alternatives

Chat Widget: Floating Customer Support Button for 30+ Channels, Supporting SMS, Calls, and Chat – Bit Assist

Chat Widget: Floating Customer Support Button for 30+ Channels, Supporting SMS, Calls, and Chat – Bit Assist

bit-assist

A
95

Floating sticky chat button for WhatsApp Chat, Facebook Messenger, Telegram, Instagram, SMS, Call, Discord chat, TikTok, Line & 30+ channels

10K 7 CVEs
Sticky Chat Widget – Floating Chat Icons, Contact Form, Call, Click to Chat, Email & Message Buttons

Sticky Chat Widget – Floating Chat Icons, Contact Form, Call, Click to Chat, Email & Message Buttons

sticky-chat-widget

A
100

Social chat buttons with WhatsApp, Messenger, WeChat, Telegram, Instagram, TikTok, Zalo & more — plus SMS, Call button, Contact form, and 20+ icons.

10K 1 CVE
Animated Floating Chat Button

Animated Floating Chat Button

animated-floating-chat-button

A
100

Adds an animated floating chat button to the WordPress site, making communication easier.

1K No CVEs
Get Chat App

Get Chat App

get-chat-app

A
85

Add a WhatsApp chat button to your website in seconds. Allow visitors to simply tap to chat through WhatsApp and other different platforms.

400 No CVEs
Watso – Basic Help Chat Button

Watso – Basic Help Chat Button

watso-basic-chat

A
100

Lightweight and blazing-fast WhatsApp chat button for WordPress with full customization, UTM tracking, multi-agent support, and scheduling.

100 No CVEs
Developer Profile

Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty Developer Profile

Premio

9 plugins · 651K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
168 days
View full developer profile
Detection Fingerprints

How We Detect Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/chaty/admin/css/chaty-admin.css/wp-content/plugins/chaty/admin/css/colorpicker.css/wp-content/plugins/chaty/admin/js/chaty-admin.js/wp-content/plugins/chaty/admin/js/colorpicker.js/wp-content/plugins/chaty/frontend/css/chaty-frontend.css/wp-content/plugins/chaty/frontend/js/chaty-frontend.js/wp-content/plugins/chaty/includes/css/chaty-review-box.css/wp-content/plugins/chaty/includes/css/chaty-upgrade-box.css+3 more
Script Paths
/wp-content/plugins/chaty/admin/js/chaty-admin.js/wp-content/plugins/chaty/admin/js/colorpicker.js/wp-content/plugins/chaty/frontend/js/chaty-frontend.js/wp-content/plugins/chaty/includes/js/chaty-review-box.js/wp-content/plugins/chaty/includes/js/chaty-upgrade-box.js/wp-content/plugins/chaty/includes/js/email-signup.js
Version Parameters
chaty/admin/css/chaty-admin.css?ver=chaty/admin/css/colorpicker.css?ver=chaty/admin/js/chaty-admin.js?ver=chaty/admin/js/colorpicker.js?ver=chaty/frontend/css/chaty-frontend.css?ver=chaty/frontend/js/chaty-frontend.js?ver=chaty/includes/css/chaty-review-box.css?ver=chaty/includes/css/chaty-upgrade-box.css?ver=chaty/includes/js/chaty-review-box.js?ver=chaty/includes/js/chaty-upgrade-box.js?ver=chaty/includes/js/email-signup.js?ver=

HTML / DOM Fingerprints

CSS Classes
chaty-widgetchaty-chat-iconchaty-mainchaty-floating-icon
HTML Comments
<!-- Chaty -->
Data Attributes
data-chaty-iddata-chaty-settings
JS Globals
chaty_settingsChatychaty_widget_instances
FAQ

Frequently Asked Questions about Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty