WP Live Chat Support 8.0.05 Cross Site Scripting

WP Live Chat Support version 8.0.05 suffers from a cross site scripting vulnerability.


MD5 | 49cae5682990389bb8e36325ff6af95d

An unauthenticated user can inject arbitrary javascript code in the admin panel by using the text field aNamea of WP Live Chat Support. The arbitrary code runs on the page wplivechat-menu-history.

In the file wp-live-chat-support.php there is no sanitization of $result->id (row 4439).
WP Live Chat Support 8.0.05 is vulnerable, probably earlier versions too.

In WP Live Chat Support 8.0.06 the vulnerability is fixed.

Video PoC: https://www.youtube.com/watch?v=eHG1pWaez9w

URL public disclosure: https://www.gubello.me/blog/wp-live-chat-support-8-0-05-stored-xss/

Sent with [ProtonMail](https://protonmail.com) Secure Email.

Related Posts