WP Chat App Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Block Image Attribute – CVE-2024-2513 |WordPress Plugin Vulnerability Report

Plugin Name: WP Chat App

Key Information:

  • Software Type: Plugin
  • Software Slug: wp-whatsapp
  • Software Status: Active
  • Software Author: ninjateam
  • Software Downloads: 950,913
  • Active Installs: 100,000
  • Last Updated: April 1, 2024
  • Patched Versions: 3.6.3
  • Affected Versions: <= 3.6.2

Vulnerability Details:

  • Name: WP Chat App <= 3.6.2
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Block Image Attribute
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-2513
  • CVSS Score: 6.4
  • Publicly Published: March 29, 2024
  • Researcher: Ngô Thiên An (ancorn_) - VNPT-VCI
  • Description: The WP Chat App, a popular plugin designed to integrate WhatsApp chat functionality into WordPress sites, has been identified to have a Stored Cross-Site Scripting (XSS) vulnerability in versions up to 3.6.2. The vulnerability originates from the 'imageAlt' block attribute, where insufficient input sanitization and output escaping allow attackers with at least contributor-level access to inject harmful scripts. These scripts can then be executed by any user visiting the affected page, posing significant security risks.


The WP Chat App plugin, crucial for enhancing user engagement on WordPress sites through WhatsApp integration, contains a critical Stored XSS vulnerability in versions up to and including 3.6.2. This vulnerability, posing substantial security threats, has been effectively rectified in the patched version 3.6.3.

Detailed Overview:

Uncovered by cybersecurity researcher Ngô Thiên An from VNPT-VCI, this vulnerability underscores the importance of rigorous input validation within WordPress plugins. The ability for attackers to inject and execute arbitrary scripts compromises both the site's integrity and the safety of its users. The prompt issuance of a patched version by the developers, 3.6.3, mitigates this vulnerability, highlighting their commitment to user security.

Advice for Users:

  • Immediate Action: Users of the WP Chat App plugin should immediately update to the patched version, 3.6.3, to secure their WordPress sites against potential exploitation.
  • Check for Signs of Vulnerability: Site administrators are advised to review their sites for unusual content or behavior that might indicate prior exploitation of this vulnerability.
  • Alternate Plugins: While the patched version addresses this vulnerability, users might consider evaluating alternative WhatsApp chat integration plugins for WordPress, especially if they have ongoing security concerns.
  • Stay Updated: Keeping plugins updated to their latest versions is crucial for website security. Regular updates help protect against known vulnerabilities and ensure the optimal functioning of your WordPress site.


The swift action taken by the developers of the WP Chat App plugin in addressing the Stored Cross-Site Scripting vulnerability serves as a valuable reminder of the critical role that timely updates play in maintaining website security. By updating to version 3.6.3 or later, users can reinforce the security of their WordPress installations, ensuring the safety and integrity of their digital presence in the face of evolving cyber threats.


Detailed Report: 

In the digital age, where WordPress plugins like WP Chat App play a pivotal role in enhancing website interactivity and user engagement, the discovery of security vulnerabilities serves as a crucial reminder of the constant vigilance needed to safeguard online assets. The recent unveiling of a Stored Cross-Site Scripting (XSS) vulnerability, CVE-2024-2513, in the WP Chat App underscores the importance of maintaining updated and secure web platforms, especially for small business owners who rely on these tools for their online operations.

About the Plugin:

WP Chat App, renowned for seamlessly integrating WhatsApp chat functionality into WordPress sites, has become a key tool for businesses looking to enhance customer communication. With nearly a million downloads and 100,000 active installations, its influence is undeniable. Developed by ninjateam, this plugin has been instrumental in fostering user engagement across a multitude of WordPress sites.

The Vulnerability Uncovered:

Identified as CVE-2024-2513, this vulnerability was found in versions of the WP Chat App up to 3.6.2. Stemming from insufficient sanitization of the 'imageAlt' block attribute, it allows attackers with contributor-level access to inject malicious scripts, posing a significant risk to site integrity and user data security. This issue was brought to light by cybersecurity researcher Ngô Thiên An from VNPT-VCI, emphasizing the need for rigorous input validation within WordPress plugins.

Risks and Potential Impacts:

The potential impacts of this vulnerability are far-reaching, encompassing everything from unauthorized data access to the compromise of user privacy and site security. The ability of attackers to execute arbitrary scripts threatens not only the technical stability of affected websites but also the trust and confidence of their users.

Remediation Steps:

In response to CVE-2024-2513, the developers of WP Chat App promptly released a patched version, 3.6.3, effectively neutralizing the threat. Users are strongly encouraged to update their plugin to this latest version to protect against exploitation. Additionally, website administrators should remain vigilant, monitoring their sites for unusual activity and considering alternative plugins if ongoing security concerns persist.

Historical Context:

This is not the first security challenge faced by the WP Chat App, with two previous vulnerabilities reported since December 2023. These incidents highlight the evolving nature of cyber threats and the imperative for continuous plugin updates and security assessments.

The Imperative of Digital Vigilance:

For small business owners, the incident underscores the critical importance of staying abreast of security updates and vulnerabilities. In a digital ecosystem where threats are constantly evolving, the security of WordPress installations is paramount. Regular updates, vigilant monitoring, and a proactive stance toward digital security are essential in protecting the digital presence of businesses. In an era where online credibility can significantly impact business success, ensuring the security of WordPress sites is not merely a technical task but a cornerstone of digital business strategy.

In conclusion, the swift remediation of the Stored Cross-Site Scripting vulnerability within the WP Chat App plugin serves as a valuable lesson in the critical role that timely updates play in maintaining website security. By adhering to best practices for plugin updates and security, businesses can fortify their WordPress installations against potential threats, safeguarding their digital assets and preserving the trust of their users.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

WP Chat App Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Block Image Attribute – CVE-2024-2513 |WordPress Plugin Vulnerability Report FAQs

Leave a Comment