JivoChat < 1.3.5.4 - Stored Cross-Site Scripting via CSRF
CVE-2022-0642

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Jivochat Live Chat – WP Live Chat Plugin For WordPress
Vendor: CVE Published:; 30 May 2022

Summary

The JivoChat Live Chat WordPress plugin before 1.3.5.4 does not properly check CSRF tokens on POST requests to the plugins admin page, and does not sanitise some parameters, leading to a stored Cross-Site Scripting vulnerability where an attacker can trick a logged in administrator to inject arbitrary javascript.

Affected Version(s)

JivoChat Live Chat – WP live chat plugin for WordPress 1.3.5.4

References

https://wpscan.com/vulnerability/099cf9b4-0b3a-43c6-8ca9-...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
May 30, 2022
Vulnerability Reserved
Feb 16, 2022

Credit

muhamad hidayat