Atomic Edge analysis of CVE-2026-27370:
The Floating Chat Widget (Chaty) WordPress plugin, versions up to and including 3.5.1, contains an unauthenticated information exposure vulnerability. This vulnerability allows attackers to download a CSV file containing sensitive user contact leads without requiring authentication. The issue resides in the plugin’s contact leads export functionality.

The root cause is a missing capability check in the `download_chaty_contact_leads` function within the `Chaty_Admin_Base` class. In the vulnerable code at `chaty/admin/class-admin-base.php` lines 1276-1330, the function only verifies a nonce via `wp_verify_nonce($postData[‘nonce’], “download_chaty_contact_leads”)` but does not validate if the requesting user has proper administrative privileges. The nonce verification alone is insufficient for authorization, as nonces can sometimes be predictable or leaked. This allows unauthenticated users to access the export functionality if they can obtain or predict a valid nonce.

Exploitation requires an attacker to send a GET request to the WordPress admin-ajax.php endpoint with specific parameters. The attacker must craft a request to `/wp-admin/admin-ajax.php` with the parameters `download_chaty_file=chaty_contact_leads` and a valid `nonce` value. The nonce can potentially be obtained through information disclosure elsewhere in the application or predicted based on WordPress nonce generation patterns. Successful exploitation triggers the database query at line 1285-1305, which exports all contact lead data including visitor name, email, phone, message, page URL, and timestamp.

The patch in version 3.5.2 addresses this by implementing proper file management and cleanup, but does not appear to add explicit capability checks. The critical changes include: adding a unique filename with `uniqid()` at line 1280, changing the static filename `chaty_contact_leads.csv` to a dynamic `chaty-contact-leads-{uniqid}.csv` at line 1280, and adding `unlink($file)` at line 1333 to delete the file after download. While these changes improve file handling, the fundamental authorization flaw may persist if capability checks remain absent. The patch also removes the affiliate.php module entirely, suggesting broader security hardening.

If exploited, this vulnerability exposes sensitive user contact information collected through the Chaty widget. Attackers can obtain names, email addresses, phone numbers, messages, and browsing history of website visitors. This constitutes a significant privacy violation under regulations like GDPR and CCPA. The exposed data could facilitate phishing campaigns, spam, identity theft, or further targeted attacks against the affected users.