------------------------------------------------------------------------ Persistent Cross-Site Scripting in WP Live Chat Support plugin ------------------------------------------------------------------------ Han Sahin, July 2016 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A persistent Cross-Site Scripting (XSS) vulnerability has been found in the WP Live Chat Support plugin. By using this vulnerability an attacker can supply malicious code on behalf of a logged on WordPress user in order to perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes. ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully tested on WP Live Chat Support WordPress plugin version 6.2.00. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ This issue has been fixed in version 6.2.02 of the WP Live Chat Support plugin. The updated plugin can be downloaded from the following location: https://downloads.wordpress.org/plugin/wp-live-chat-support.zip. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_wp_live_chat_support_plugin.html ------------------------------------------------------------------------ Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its goal is to contribute to the security of popular, widely used OSS projects in a fun and educational way.
