The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Steps to Reproduce: 1. Open Chaty Plugin Dashboard. 2. Click on “Create New Widget”. 3. In “Step 1”, select Custom Channel. 4. And type/paste the following Javascript payload in the link field. javascript:alert(2);%22> 5. Save it and visit the website, you will get XSS popup. You can also use javascript:alert(2)
instead of the other payload and have the alert box show up when clicking on the generated link, at the bottom right of the site.