Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
1. Go "Chaty > Create New Widgets 3. Intercept the widget’s edit request and save it. 4. Put the payload in the cht_social_Phone[contact_form_title_bg_color] parameter ">