Stored Cross-Site Scripting in Pure Chat Plugin for WordPress
CVE-2024-13736

6.1MEDIUM

Key Information:

Vendor: Pure-chat
Status: Pure Chat – Live Chat & More!
Vendor: CVE Published:; 19 February 2025

Summary

The Pure Chat – Live Chat & More! plugin for WordPress contains a vulnerability that allows unauthenticated attackers to exploit the ‘purechatWidgetName’ parameter. This occurs due to inadequate input sanitization and output escaping, enabling the injection of arbitrary web scripts into affected pages. When users access these compromised pages, malicious scripts can execute, potentially leading to data theft or site compromise.

Affected Version(s)

Pure Chat – Live Chat & More! * <= 2.31

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/pure-chat/#developers

https://plugins.trac.wordpress.org/browser/pure-chat/trun...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 19, 2025
Vulnerability Reserved
Jan 26, 2025

Credit

Rein Daelman