An unauthenticated user can inject arbitrary javascript code in the admin panel by using the text field “Name” of WP Live Chat Support. The arbitrary code runs on the page wplivechat-menu-history. In the file wp-live-chat-support.php there is no sanitization of $result->id (row 4439). WP Live Chat Support 8.0.05 is vulnerable, probably earlier versions too. The vulnerability is fixed in WP Live Cjat Support 8.0.06