Published:2017/06/01 Last Updated:2017/06/01

JVN#70951878
WordPress plugin "WP Live Chat Support" vulnerable to cross-site scripting

Overview

The WordPress plugin "WP Live Chat Support" contains a cross-site scripting vulnerability.

Products Affected

WP Live Chat Support prior to version 7.0.07

Description

The WordPress plugin "WP Live Chat Support" provided by CODECABIN_ contains a cross-site scripting vulnerability (CWE-79).

Impact

An arbitrary script may be executed on a logged in user's web browser.

Solution

Update the plugin
Update the plugin according to the information provided by the developer.

Vendor Status

Vendor	Link
CODECABIN_	Changeset 1658232 - WordPress Plugin Repository

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Base Score: 6.1

Attack Vector(AV)	Physical (P)	Local (L)	Adjacent (A)	Network (N)
Attack Complexity(AC)	High (H)	Low (L)
Privileges Required(PR)	High (H)	Low (L)	None (N)
User Interaction(UI)	Required (R)	None (N)
Scope(S)	Unchanged (U)	Changed (C)
Confidentiality Impact(C)	None (N)	Low (L)	High (H)
Integrity Impact(I)	None (N)	Low (L)	High (H)
Availability Impact(A)	None (N)	Low (L)	High (H)

CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N

Base Score: 2.6

Access Vector(AV)	Local (L)	Adjacent Network (A)	Network (N)
Access Complexity(AC)	High (H)	Medium (M)	Low (L)
Authentication(Au)	Multiple (M)	Single (S)	None (N)
Confidentiality Impact(C)	None (N)	Partial (P)	Complete (C)
Integrity Impact(I)	None (N)	Partial (P)	Complete (C)
Availability Impact(A)	None (N)	Partial (P)	Complete (C)

Credit

Chris Liu reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2017-2187
JVN iPedia	JVNDB-2017-000103