WordPress Plugin Vulnerabilities

Tidio Live Chat < 4.2.0 - CSRF to Stored XSS

Description

A CSRF vulnerability in the Tidio Live Chat WordPress Plugin <= 4.1.0 allows attackers to trick admins into adding a Stored XSS payload presented to all visitors.

Fixed in 4.2.0.

Proof of Concept

Affects Plugins

Plugin icon
tidio-live-chat
Fixed in 4.2.0

References

URL
https://dannewitz.ninja/posts/tidio-livechat-wordpress-plugin-csrf-to-stored-xss
URL
https://plugins.trac.wordpress.org/changeset/2186087/

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher
Paul Dannewitz
Submitter
Paul Dannewitz
Submitter website
https://dannewitz.ninja
Submitter twitter
padannewitz
Verified
No
WPVDB ID
d4067348-a597-40bc-8ec8-a751efde353a

Timeline

Publicly Published
2019-11-05 (about 6 years ago)
Added
2019-11-05 (about 6 years ago)
Last Updated
2020-10-25 (about 5 years ago)

Other

Published
Title
Published
2025-05-02
Title
Abundatrade Plugin <= 1.8.02 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-01-15
Title
VikAppointments Services Booking Calendar < 1.2.17 - Cross-Site Request Forgery
Published
2023-10-16
Title
Sort SearchResult By Title < 11.0 - CSRF
Published
2025-04-01
Title
Uptime Robot Plugin for WordPress <= 2.3 - Cross-Site Request Forgery
Published
2023-12-06
Title
First Order Discount Woocommerce < 1.22 - Discount Update via CSRF