WordPress Plugin Vulnerabilities

JivoChat < 1.3.5.4 - Stored Cross-Site Scripting via CSRF

Description

The plugin does not properly check CSRF tokens on POST requests to the plugins admin page, and does not sanitise some parameters, leading to a stored Cross-Site Scripting vulnerability where an attacker can trick a logged in administrator to inject arbitrary javascript.

Proof of Concept

Affects Plugins

Plugin icon
jivochat
Fixed in 1.3.5.4

References

CVE
CVE-2022-0642

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
muhamad hidayat
Submitter
muhamad hidayat
Submitter website
https://muh-hidayat7799.medium.com/
Submitter twitter
hidesu_ae
Verified
Yes
WPVDB ID
099cf9b4-0b3a-43c6-8ca9-7c2d50f86425

Timeline

Publicly Published
2022-05-09 (about 3 years ago)
Added
2022-05-09 (about 3 years ago)
Last Updated
2022-05-09 (about 3 years ago)

Other

Published
Title
Published
2023-05-02
Title
Newsletter Popup <= 1.2 - Record Deletion via CSRF
Published
2025-02-21
Title
A1POST.BG Shipping for WooCommerce < 1.5.1 - Privilege Escalation via CSRF
Published
2025-05-07
Title
Simple calendar for Elementor < 1.6.6 - Cross-Site Request Forgery
Published
2024-01-30
Title
Post Video Players < 1.160 - Settings Update via CSRF
Published
2025-09-22
Title
Emergency Password Reset < 9.4 - Cross-Site Request Forgery