CVSS: 9.8EPSS: 3%CPEs: 1EXPL: 1CVE-2018-12426 – WP Live Chat Support Pro <= 8.0.06 - Remote Code Execution via unrestricted file upload
https://notcve.org/view.php?id=CVE-2018-12426
The WP Live Chat Support Pro plugin before 8.0.07 for WordPress is vulnerable to unauthenticated Remote Code Execution due to client-side validation of allowed file types, as demonstrated by a v1/remote_upload request with a .php filename and the image/jpeg content type. El plugin WP Live Chat Support Pro en versiones anteriores a la 8.0.07 para WordPress es vulnerable a la ejecución remota de código no autenticado debido a la validación del lado del cliente de los tipos de archivo permitidos. Esto queda demostrado por una petición v1/remote_upload con un nombre de archivo .php y el tipo de contenido image/jpeg. • https://github.com/CodeCabin/wp-live-chat-support/blob/master/readme.txt https://github.com/RiieCco/write-ups/tree/master/CVE-2018-12426 https://wpvulndb.com/vulnerabilities/9697 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-11105 – 3CX Live Chat <= 8.0.07 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-11105
There is stored cross site scripting in the wp-live-chat-support plugin before 8.0.08 for WordPress via the "name" (aka wplc_name) and "email" (aka wplc_email) input fields to wp-json/wp_live_chat_support/v1/start_chat whenever a malicious attacker would initiate a new chat with an administrator. NOTE: this issue exists because of an incomplete fix for CVE-2018-9864. Hay Cross-Site Scripting (XSS) persistente en el plugin wp-live-chat-support en versiones anteriores a la 8.0.08 para WordPress mediante los campos de entrada "name" (wplc_name) y "email" (wplc_email) en wp-json/wp_live_chat_support/v1/start_chat cuando un atacante malicioso inicie una nueva conversación con un administrador. NOTA: este problema existe debido a una solución incompleta para CVE-2018-9864. • https://github.com/RiieCco/write-ups/tree/master/CVE-2018-11105 https://wordpress.org/plugins/wp-live-chat-support/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2018-9864 – WP Live Chat Support <= 8.0.05 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-9864
The WP Live Chat Support plugin before 8.0.06 for WordPress has stored XSS via the Name field. El plugin WP Live Chat Support en versiones anteriores a la 8.0.06 para WordPress tiene XSS mediante el campo Name. • https://wordpress.org/plugins/wp-live-chat-support/#developers https://www.gubello.me/blog/wp-live-chat-support-8-0-05-stored-xss https://www.youtube.com/watch?v=eHG1pWaez9w • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-18507 – WP Live Chat Support <= 7.1.04 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-18507
The wp-live-chat-support plugin before 7.1.05 for WordPress has XSS. El plugin wp-live-chat-support anterior de 7.1.05 para WordPress tiene XSS. • https://wordpress.org/plugins/wp-live-chat-support/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-18508 – WP Live Chat Support <= 7.1.02 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-18508
The wp-live-chat-support plugin before 7.1.03 for WordPress has XSS. El plugin wp-live-chat-support anterior a la versión 7.1.03 para WordPress tiene XSS. • https://wordpress.org/plugins/wp-live-chat-support/#developers https://wpvulndb.com/vulnerabilities/9719 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •