An improper neutralization of input during web page generation leads to a stored cross‑site scripting vulnerability in the Chatra Live Chat + ChatBot + Cart Saver plugin. Attackers can inject arbitrary HTML or JavaScript into content that the plugin stores and later serves to visitors. If successfully exploited, malicious scripts run in the browser context of any site user viewing the affected pages, potentially enabling credential theft, session hijacking, or defacement. The weakness is identified as CWE‑79.

The vulnerability affects the Chatra Live Chat + ChatBot + Cart Saver WordPress plugin in all releases dated from its earliest available version up through 1.0.11. Any WordPress installation that has this plugin installed and not yet upgraded beyond version 1.0.11 is susceptible. No specific operating system or WordPress core version restriction is noted.

The CVSS base score of 7.7 indicates high severity, and the EPSS score of less than 1% suggests a very low probability of exploitation at this time. The flaw is not listed in the CISA KEV catalog, implying it has not yet been observed in widespread real‑world attacks. The likely attack vector is exploitation through any stored input field within the plugin, such as chat message or configuration settings, that is rendered without proper escaping. Users with administrative or content‑authoring privileges could be used to embed malicious payloads that are subsequently delivered to all site visitors.