3cx: >> Live Chat >> 6.2.11 Security Vulnerabilities
The WP Live Chat Support plugin before 8.0.33 for WordPress accepts certain REST API calls without invoking the wplc_api_permission_check protection mechanism.
CVSS Score
9.8
EPSS Score
0.008
Published
2020-03-20
The wp-live-chat-support plugin before 7.1.05 for WordPress has XSS.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-08-13
The wp-live-chat-support plugin before 8.0.27 for WordPress has XSS via the GDPR page.
CVSS Score
6.1
EPSS Score
0.004
Published
2019-08-12
The wp-live-chat-support plugin before 7.1.03 for WordPress has XSS.
CVSS Score
6.1
EPSS Score
0.005
Published
2019-08-12
The WP Live Chat Support Pro plugin through 8.0.26 for WordPress contains an arbitrary file upload vulnerability. This results from an incomplete patch for CVE-2018-12426. Arbitrary file upload is achieved by using a non-blacklisted executable file extension in conjunction with a whitelisted file extension, and prepending "magic bytes" to the payload to pass MIME checks. Specifically, an unauthenticated remote user submits a crafted file upload POST request to the REST api remote_upload endpoint. The file contains data that will fool the plugin's MIME check into classifying it as an image (which is a whitelisted file extension) and finally a trailing .phtml file extension.
CVSS Score
9.8
EPSS Score
0.066
Published
2019-06-03
The wp-live-chat-support plugin before 8.0.18 for WordPress has wp-admin/admin.php?page=wplivechat-menu-gdpr-page term XSS.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-03-22
The WP Live Chat Support Pro plugin before 8.0.07 for WordPress is vulnerable to unauthenticated Remote Code Execution due to client-side validation of allowed file types, as demonstrated by a v1/remote_upload request with a .php filename and the image/jpeg content type.
CVSS Score
9.8
EPSS Score
0.11
Published
2018-07-02
There is stored cross site scripting in the wp-live-chat-support plugin before 8.0.08 for WordPress via the "name" (aka wplc_name) and "email" (aka wplc_email) input fields to wp-json/wp_live_chat_support/v1/start_chat whenever a malicious attacker would initiate a new chat with an administrator. NOTE: this issue exists because of an incomplete fix for CVE-2018-9864.
CVSS Score
6.1
EPSS Score
0.004
Published
2018-05-15
The WP Live Chat Support plugin before 8.0.06 for WordPress has stored XSS via the Name field.
CVSS Score
6.1
EPSS Score
0.004
Published
2018-04-09
Cross-site scripting vulnerability in WP Live Chat Support prior to version 7.0.07 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVSS Score
6.1
EPSS Score
0.003
Published
2017-06-09
Page 1