Unrestricted upload of files with dangerous types in the Chaty Pro WordPress plugin allows an attacker to place executable scripts on the web server, effectively creating a vector for remote code execution. The flaw is a classic example of CWE‑434, where the plugin fails to filter or validate file extensions and MIME types before saving the upload. The vulnerability has a CVSS base score of 10, indicating maximum severity, and attackers could leverage it to compromise the entire site.

The issue affects the WordPress Chaty Pro plugin, all versions from the initial release through 3.3.3 inclusive. Any WordPress site that has installed the plugin without updating to the patched version 3.3.4 or later is vulnerable. The problem is tied specifically to the plugin's file upload feature.

Given its CVSS score of 10, the vulnerability presents a high likelihood of serious impact. The EPSS score of less than 1% suggests that, at present, exploitation rates are low, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the ability to upload arbitrary files to a web‑accessible directory offers a straightforward path to remote code execution, especially if the site does not enforce strict file type restrictions or proper directory permissions. Based on the description, the most probable exploitation vector involves leveraging the plugin’s upload interface to upload a malicious PHP web shell, which the attacker then executes remotely.