WordPress Plugin Vulnerabilities

Quick Chat <= 4.14 - Authenticated Stored Cross-Site Scripting

Description

An Authenticated Persistent XSS vulnerability is present in the the plugin options page (/wp-admin/options-general.php?page=quick-chat/quick-chat.php), vulnerable fields: «Chat name prefix for guest users», «Advertisement code for your AdSense».

Proof of Concept

Affects Plugins

Plugin icon
quick-chat
No known fix

References

URL
https://ex-mi.ru/exploit/[2020-10-06]-[WordPress]-quick-chat-plugin-v4.14.txt

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.4 (high)

Miscellaneous

Original Researcher
Ex.Mi
Submitter
Ex.Mi
Submitter website
https://ex-mi.ru
Verified
Yes
WPVDB ID
41252ea2-7955-4283-9dcf-8852210001a4

Timeline

Publicly Published
2020-10-14 (about 5 years ago)
Added
2020-10-19 (about 5 years ago)
Last Updated
2020-10-20 (about 5 years ago)

Other

Published
Title
Published
2025-01-30
Title
Music Sheet Viewer <= 4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-06-16
Title
WP Backup Manager <= 1.13.1 - Reflected XSS
Published
2023-11-06
Title
SendPress Newsletters < 1.23.11.6 - Contributor+ Stored XSS
Published
2024-01-17
Title
BP Profile Search < 5.6 - Reflected Cross-Site Scripting via BPS_FORM
Published
2024-02-12
Title
Bold Page Builder < 4.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Icon Link