WordPress Plugin Vulnerabilities

JivoChat < 1.3.5.4 - Stored Cross-Site Scripting via CSRF

Description

The plugin does not properly check CSRF tokens on POST requests to the plugins admin page, and does not sanitise some parameters, leading to a stored Cross-Site Scripting vulnerability where an attacker can trick a logged in administrator to inject arbitrary javascript.

Proof of Concept

Affects Plugins

Plugin icon
jivochat
Fixed in 1.3.5.4

References

CVE
CVE-2022-0642

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
muhamad hidayat
Submitter
muhamad hidayat
Submitter website
https://muh-hidayat7799.medium.com/
Submitter twitter
hidesu_ae
Verified
Yes
WPVDB ID
099cf9b4-0b3a-43c6-8ca9-7c2d50f86425

Timeline

Publicly Published
2022-05-09 (about 3 years ago)
Added
2022-05-09 (about 3 years ago)
Last Updated
2022-05-09 (about 3 years ago)

Other

Published
Title
Published
2021-05-05
Title
Ship To Ecourier < 1.0.2 - Plugin's Settings Update via CSRF
Published
2024-04-26
Title
FameTheme Demo Importer < 1.1.6 - Cross-Site Request Forgery
Published
2019-06-16
Title
WebP Express <= 0.14.10 - Multiple Issues
Published
2025-01-24
Title
Ultimate Coming Soon & Maintenance < 1.1.0 - Cross-Site Request Forgery
Published
2014-08-01
Title
Cool Video Gallery 1.8 - admin/gallery-details.php Multiple Actions CSRF