The plugin does not sanitise and escape some contact parameters, which could allow unauthenticated attackers to set Stored Cross-Site Scripting payloads in them, which will trigger when an admin view the related contact message
Setup: - In the General Settings of the plugin, check the “Show Chat Bubble at website” checkbox and save. - In the “Bubble Items” enable the “Simple CallBack” and save. Attacker (unauthenticated): - Access the blog and click on the contact bubble. - In any of the offered fields (fname or fphone), enter the following payload and click “Submit”: The XSS will be triggered when an admin will view the related Callback Message via the Callback dashboard (/wp-admin/edit.php?post_type=cbb_callback => /wp-admin/post.php?post=21&action;=edit)