WP-Live Chat by 3CX < 8.2.0 – Authenticated Stored Cross-Site Scripting

Description

There is a Stored Cross-Site Scripting (XSS) in WP-Live Chat by 3CX v. 8.1.9 By 3CX within the Quick Response function. Due to the nature of this vulnerability, a malicious attack with access to a WordPress multisite and permissions to this plugin can craft a malformed JavaScript payload.

Proof of Concept

https://www.dropbox.com/s/ns70e582v1rlkhz/3CX-WP-Live-Chat-XSS.mp4?dl=0

Affects Plugins

wp-live-chat-support

Fixed in 8.2.0

References

URL

https://plugins.trac.wordpress.org/changeset/2339079

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

3.5 (low)

Miscellaneous

Original Researcher

Chevon Phillip

Submitter

Chevon Phillip

Submitter website

https://chevonphillip.com

Submitter twitter

https://twitter.com/chevonphillip

Verified

Yes

WPVDB ID

07b184e9-ce38-4aed-8b7c-fc1ac2e8f3dd

Timeline

Publicly Published

2020-07-12 (about 5 years ago)

Added

2020-07-12 (about 5 years ago)

Last Updated

2020-07-12 (about 5 years ago)

Other

Published

Title

Published

2024-06-06

Title

Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders < 5.8.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via Lightbox and Modal Widget

Published

2025-12-30

Title

Team Showcase < 3.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-11-23

Title

Display Custom Post <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-09-21

Title

WP-Matomo Integration (WP-Piwik) < 1.0.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2016-04-12

Title

MiniMax <= 2.0.2 - Unauthenticated Reflected Cross-Site Scripting (XSS)