CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-12498 – WP Live Chat Support <= 8.0.32 - Unprotected Functions
https://notcve.org/view.php?id=CVE-2019-12498
The WP Live Chat Support plugin before 8.0.33 for WordPress accepts certain REST API calls without invoking the wplc_api_permission_check protection mechanism. El plugin WP Live Chat Support versiones anteriores a 8.0.33 para WordPress, acepta determinadas llamadas de la API REST sin invocar el mecanismo de protección en la función wplc_api_permission_check. • https://plugins.trac.wordpress.org/changeset/2098577/wp-live-chat-support/trunk https://plugins.trac.wordpress.org/log/wp-live-chat-support https://wordpress.org/plugins/wp-live-chat-support/#developers • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-14950 – WP Live Chat Support <= 8.0.27 - Unauthenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-14950
The wp-live-chat-support plugin before 8.0.27 for WordPress has XSS via the GDPR page. El plugin wp-live-chat-support anterior a la versión 8.0.27 para WordPress tiene XSS a través de la página GDPR. • https://wordpress.org/plugins/wp-live-chat-support/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 1CVE-2019-11185 – WP Live Chat Support Pro <= 8.0.26 - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2019-11185
The WP Live Chat Support Pro plugin through 8.0.26 for WordPress contains an arbitrary file upload vulnerability. This results from an incomplete patch for CVE-2018-12426. Arbitrary file upload is achieved by using a non-blacklisted executable file extension in conjunction with a whitelisted file extension, and prepending "magic bytes" to the payload to pass MIME checks. Specifically, an unauthenticated remote user submits a crafted file upload POST request to the REST api remote_upload endpoint. The file contains data that will fool the plugin's MIME check into classifying it as an image (which is a whitelisted file extension) and finally a trailing .phtml file extension. • https://wordpress.org/plugins/wp-live-chat-support/#developers https://wp-livechat.com https://wpvulndb.com/vulnerabilities/9320 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2019-9913 – WP Live Chat Support <= 8.0.17 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-9913
The wp-live-chat-support plugin before 8.0.18 for WordPress has wp-admin/admin.php?page=wplivechat-menu-gdpr-page term XSS. El plugin wp-live-chat-support, en versiones anteriores a la 8.0.18 para WordPress, tiene Cross-Site Scripting (XSS) en term en wp-admin/admin.php?page=wplivechat-menu-gdpr-page. WordPress WP Live Chat plugin version 8.0.18 suffers from a cross site scripting vulnerability. • http://seclists.org/fulldisclosure/2019/Mar/42 https://lists.openwall.net/full-disclosure/2019/02/05/14 https://security-consulting.icu/blog/2019/02/wordpress-wp-livechat-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-18460 – WP Live Chat Support <= 8.0.15 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-18460
XSS exists in the wp-live-chat-support v8.0.15 plugin for WordPress via the modules/gdpr.php term parameter in a wp-admin/admin.php wplivechat-menu-gdpr-page request. Existe Cross-Site Scripting (XSS) en el plugin wp-live-chat-support v8.0.15 para WordPress mediante el parámetro term en modules/gdpr.php en una petición wplivechat-menu-gdpr-page en wp-admin/admin.php. • https://github.com/rakjong/vuln/blob/master/wordpress_wp-live-chat-support_XSS.pdf https://wordpress.org/plugins/wp-live-chat-support/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •