The plugin does not sanitise and escape some contact parameters, which could allow unauthenticated attackers to set Stored Cross-Site Scripting payloads in them, which will trigger when an admin view the related contact message
Proof of Concept
- In the General Settings of the plugin, check the "Show Chat Bubble at website" checkbox and save.
- In the "Bubble Items" enable the "Simple CallBack" and save.
- Access the blog and click on the contact bubble.
- In any of the offered fields (fname or fphone), enter the following payload and click "Submit": <script>alert(/XSS/)</script>
The XSS will be triggered when an admin will view the related Callback Message via the Callback dashboard (/wp-admin/edit.php?post_type=cbb_callback => /wp-admin/post.php?post=21&action=edit)