WordPress Plugin Vulnerabilities

Sticky Chat Widget < 1.1.9 - Authenticated (Administrator+) Stored Cross-Site Scripting

Description

The Sticky Chat Widget: WhatsApp, Messenger, Click to chat, SMS, Email, Messages, Call Button, Contact form and more Chat buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

Plugin icon
sticky-chat-widget
Fixed in 1.1.9

References

CVE
CVE-2023-51361
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/892fe839-57ca-45bc-aa9b-f1bf87994a77

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.4 (medium)

Miscellaneous

Original Researcher
emad
Verified
No
WPVDB ID
9685c690-93f7-40c8-ac57-5d90919d26eb

Timeline

Publicly Published
2023-12-26 (about 2 years ago)
Added
2024-01-05 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2024-12-30
Title
Coins MarketCap < 5.5.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-05-26
Title
Exclusive Addons for Elementor < 2.7.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Timer Widget
Published
2024-03-25
Title
Advanced Sermons < 3.2 - Reflected Cross-Site Scripting via s
Published
2024-03-11
Title
WooCommerce Product Filter < 1.4.4 - Admin+ Stored XSS
Published
2015-06-14
Title
Content Grabber 1.0 - Cross-Site Scripting (XSS)