WordPress Plugin Vulnerabilities

Pure Chat – Live Chat Plugin & More! <= 2.22 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Description

The Pure Chat – Live Chat Plugin & More! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the purechatwid and purechatwname parameter in all versions up to, and including, 2.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber access or above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
pure-chat
Fixed in 2.23

References

CVE
CVE-2024-3595
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5d03c798-dc77-407c-8674-d0bd2f1ada8c

Classification

Type
CROSS FRAME SCRIPTING
OWASP top 10
A1: Injection
CWE
CWE-80
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
7a93aa48-74af-4b53-831d-d7956a33314c

Timeline

Publicly Published
2024-05-08 (about 2 years ago)
Added
2024-05-08 (about 2 years ago)
Last Updated
2025-11-28 (about 5 months ago)

Other

Published
Title
Published
2024-02-12
Title
SiteOrigin Widgets Bundle < 1.58.3 - Contributor+ Stored Cross-Site Scripting
Published
2025-03-14
Title
WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto < 8.0.10 - Unauthenticated Stored Cross-Site Scripting
Published
2024-04-29
Title
All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic < 4.6.1.1 - Contributor+ Stored Cross-Site Scripting via Shortcode
Published
2024-04-19
Title
Icon Widget < 1.4.0 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Published
2024-04-11
Title
WPBakery Visual Composer < 7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Heading tag attribute