WordPress Plugin Vulnerabilities

Chat Bubble < 2.3 - Unauthenticated Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape some contact parameters, which could allow unauthenticated attackers to set Stored Cross-Site Scripting payloads in them, which will trigger when an admin view the related contact message

Proof of Concept

Affects Plugins

Plugin icon
chat-bubble
Fixed in 2.3

References

CVE
CVE-2022-3415

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Juampa Rodríguez
Submitter
Juampa Rodríguez
Submitter website
https://infayer.com/
Submitter twitter
und3sc0n0c1d0
Verified
Yes
WPVDB ID
012c5b64-ef76-4539-afd8-40f6c329ae88

Timeline

Publicly Published
2022-10-18 (about 3 years ago)
Added
2022-10-18 (about 3 years ago)
Last Updated
2022-10-19 (about 3 years ago)

Other

Published
Title
Published
2025-09-22
Title
Pinterest Pinboard Widget <= 1.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-01-16
Title
Twitter News Feed <= 1.1.1 - Reflected Cross-Site Scripting
Published
2024-12-19
Title
NewsDaily <= 1.0.64 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2016-04-21
Title
Google SEO Pressor Snippet <= 1.2.6 - Reflected Cross-Site Scripting (XSS)
Published
2023-11-06
Title
Featured Image Caption < 0.8.11 - Contributor+ Stored XSS