WordPress Plugin Vulnerabilities

Quick Chat <= 4.14 - Authenticated Stored Cross-Site Scripting

Description

An Authenticated Persistent XSS vulnerability is present in the the plugin options page (/wp-admin/options-general.php?page=quick-chat/quick-chat.php), vulnerable fields: «Chat name prefix for guest users», «Advertisement code for your AdSense».

Proof of Concept

The PoC will be displayed once the issue has been remediated

Affects Plugins

quick-chat

No known fix - plugin closed

References

URL

https://ex-mi.ru/exploit/[2020-10-06]-[WordPress]-quick-chat-plugin-v4.14.txt

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

Miscellaneous

Original Researcher

Ex.Mi

Submitter

Ex.Mi

Submitter website

https://ex-mi.ru

Verified

Yes

WPVDB ID

41252ea2-7955-4283-9dcf-8852210001a4

Timeline

Publicly Published

2020-10-14 (about 2 years ago)

Added

2020-10-19 (about 2 years ago)

Last Updated

2020-10-20 (about 2 years ago)

Our Other Services

WPScan WordPress Security Plugin