WP Live Chat Support < 8.0.06 – Unauthenticated Stored XSS | CVE 2018-9864 | Plugin Vulnerabilities

Description

An unauthenticated user can inject arbitrary javascript code in the admin panel by using the text field "Name" of WP Live Chat Support. The arbitrary code runs on the page wplivechat-menu-history.

In the file wp-live-chat-support.php there is no sanitization of $result->id (row 4439).
WP Live Chat Support 8.0.05 is vulnerable, probably earlier versions too.
The vulnerability is fixed in WP Live Cjat Support 8.0.06

Affects Plugins

wp-live-chat-support

Fixed in 8.0.06

References

CVE

URL

https://www.gubello.me/blog/wp-live-chat-support-8-0-05-stored-xss/

URL

https://plugins.trac.wordpress.org/changeset/1845436/wp-live-chat-support

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Submitter

Luigi

Submitter website

https://www.gubello.me/blog/

Verified

No

WPVDB ID

7d0b7476-7e11-434e-b1c7-85ea7a3b0f7e

Timeline

Publicly Published

2018-04-09 (about 8 years ago)

Added

2018-04-09 (about 8 years ago)

Last Updated

2021-01-19 (about 5 years ago)

Other

Published

Title

Published

2023-12-05

Title

WP Photo Album Plus < 8.6.01.005 - Cross-Site Scripting

Published

2024-12-02

Title

Awesome Shortcodes < 1.7.3 - Reflected XSS

Published

2022-11-17

Title

Ezoic < 2.8.9 - Unauthenticated Settings Update to Stored XSS

Published

2026-05-04

Title

Simple Owl Shortcodes <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'num' Shortcode Attribute

Published

2024-12-06

Title

WP-SVG <= 0.9 - Contributor+ Stored XSS via Shortcode