The plugin does not sanitise and escape numerous of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks to all admin when setting chatbot and all client when using chatbot
1. Go to “Settings > Language Settings > ChatBot Keywords” 2. Enter the PoC: POC">
in the “Welcome to Help Section”, “Type and Hit Enter”, or “clear our chat history” fields. 3. Save and see the XSS