JivoChat < 1.3.5.4 - Stored Cross-Site Scripting via CSRF

2022-05-0900:00:00

muhamad hidayat

wpscan.com

0.001 Low

EPSS

Percentile

21.3%

JSON

The plugin does not properly check CSRF tokens on POST requests to the plugins admin page, and does not sanitise some parameters, leading to a stored Cross-Site Scripting vulnerability where an attacker can trick a logged in administrator to inject arbitrary javascript.

PoC

XSS will be triggered when admin click “Go to Web Application”

CPENameOperatorVersion
jivochatlt1.3.5.4

CPE	Name	Operator	Version
	jivochat	lt	1.3.5.4

0.001 Low

EPSS

Percentile

21.3%

JSON

Related for WPVDB-ID:099CF9B4-0B3A-43C6-8CA9-7C2D50F86425