First published: Tue May 15 2018(Updated: )
There is stored cross site scripting in the wp-live-chat-support plugin before 8.0.08 for WordPress via the "name" (aka wplc_name) and "email" (aka wplc_email) input fields to wp-json/wp_live_chat_support/v1/start_chat whenever a malicious attacker would initiate a new chat with an administrator. NOTE: this issue exists because of an incomplete fix for CVE-2018-9864.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
3cx Live Chat | <8.0.08 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for the wp-live-chat-support plugin is CVE-2018-11105.
The severity of CVE-2018-11105 is medium.
CVE-2018-11105 allows for stored cross-site scripting (XSS) in the wp-live-chat-support plugin.
CVE-2018-11105 can be exploited by a malicious attacker initiating a new chat with an administrator, using malicious input in the "name" and "email" fields.
Yes, a fix is available for CVE-2018-11105. It is recommended to update the wp-live-chat-support plugin to version 8.0.08 or later.